forked from extern/shorewall_code
Bring trunk up to date with 4.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e0b9bc5ed2
commit
2246e54d28
@ -1 +1 @@
|
||||
This is the Shorewall-common Development 4.0 branch of SVN.
|
||||
This is the Shorewall-common Stable 4.0 branch of SVN.
|
||||
|
@ -1,3 +1,33 @@
|
||||
Changes in 4.0.5
|
||||
|
||||
1) Delete 'detectnets' from Shorewall-perl
|
||||
|
||||
2) Use get_config() for processing secondary shorewall.conf
|
||||
|
||||
3) Add 'broadcast' and 'destonly' options to hosts file.
|
||||
|
||||
4) Allow "$FW::<port>" in the DEST column of a redirect rule"
|
||||
|
||||
5) Add MULTICAST option in shorewall.conf.
|
||||
|
||||
6) Allow port range for server port in NAT rules.
|
||||
|
||||
7) Validate server IP address and port(-range) in NAT rules.
|
||||
|
||||
8) Allow server port(s) to be specified as service names.
|
||||
|
||||
9) Split large DEST PORT(S) lists.
|
||||
|
||||
10) Fix TCP/UDP in rules file.
|
||||
|
||||
10) Add new semantics to 'debug' with Shorewall-perl
|
||||
|
||||
11) Satisfy the distros.
|
||||
|
||||
12) Change module versions to V-strings.
|
||||
|
||||
13) Fix ipsets.
|
||||
|
||||
Changes in 4.0.4
|
||||
|
||||
1) Fix 'refresh' with light-weight shells.
|
||||
@ -37,6 +67,10 @@ Changes in 4.0.4
|
||||
|
||||
18) Fix off-by-one bug in Tc.pm
|
||||
|
||||
19) Correct problems found in pre-testing.
|
||||
|
||||
20) Fix REDIRECT with Macros.
|
||||
|
||||
Changes in 4.0.3
|
||||
|
||||
1) Streamline the checking for builtin chains in the accounting file.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -477,9 +477,9 @@ usage() {
|
||||
# E X E C U T I O N B E G I N S H E R E
|
||||
#
|
||||
#
|
||||
# Start trace if first arg is "debug"
|
||||
# Start trace if first arg is "debug" or "trace"
|
||||
#
|
||||
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
|
||||
[ $# -gt 1 ] && [ "x$1" = xdebug -o "$x$1" = xtrace ] && { set -x ; shift ; }
|
||||
|
||||
NOLOCK=
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -306,6 +306,7 @@ save_config() {
|
||||
echo "__EOF__" >> $f
|
||||
echo >> $f
|
||||
echo "ipset -U :all: :all:" >> $f
|
||||
echo "ipset -U :all: :default:" >> $f
|
||||
echo "ipset -F" >> $f
|
||||
echo "ipset -X" >> $f
|
||||
echo "ipset -R << __EOF__" >> $f
|
||||
|
@ -1,7 +1,4 @@
|
||||
Shorewall 4.0 Patch release 4
|
||||
|
||||
WARNING: Suppport for the 'detectnets' option will be removed from
|
||||
Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below.
|
||||
Shorewall 4.0 Patch release 5
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E 4 . 0 H I G H L I G H T S
|
||||
@ -29,142 +26,198 @@ Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below.
|
||||
Shorewall-perl compiler. This support utilizes the reduced-function
|
||||
physdev match support available in Linux kernel 2.6.20 and later.
|
||||
|
||||
Problems Corrected in Shorewall 4.0.4
|
||||
Problems corrected in Shorewall 4.0.5.
|
||||
|
||||
1) If no interface had the 'blacklist' option, then when using
|
||||
Shorewall-perl, the 'start' and 'restart' command fail:
|
||||
1) Previously, Shorewall-perl misprocessed $FW::<port> in the DEST
|
||||
column of a REDIRECT rule, generating an error. '$FW::<port>' now
|
||||
produces the same effect as '<port>'.
|
||||
|
||||
ERROR: No filter chain found with name blacklst
|
||||
2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE
|
||||
PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected
|
||||
the entry with the error:
|
||||
|
||||
New Shorewall-perl 4.0.3 packages were released that corrected this
|
||||
problem; it is included here for completeness.
|
||||
ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules
|
||||
|
||||
2) If no interface had the 'blacklist' option, then when using
|
||||
Shorewall-perl, the generated script would issue this harmless
|
||||
message during 'shorewall refresh':
|
||||
The rule was accepted if 'tcp' or 'udp' was used instead.
|
||||
|
||||
chainlist_reload: Not found
|
||||
3) Shorewall-shell now removes any default bindings of ipsets before
|
||||
attempting to reload them. Previously, default bindings were not
|
||||
removed with the result that the ipsets could not be destroyed.
|
||||
|
||||
3) If /bin/sh was a light-weight shell such as ash or dash, then
|
||||
'shorewall refresh' failed.
|
||||
Other changes in Shorewall 4.0.5.
|
||||
|
||||
4) During start/restart, the script generated by Shorewall-perl is
|
||||
clearing the proxy_arp flag on all interfaces; that is not the
|
||||
documented behavior.
|
||||
1) Two new options have been added to /etc/shorewall/hosts
|
||||
(Shorewall-perl only).
|
||||
|
||||
5) If the module-init-tools package was not installed and
|
||||
/etc/shorewall/modules did not exist or was non-empty, then
|
||||
Shorewall-perl would fail with the message:
|
||||
broadcast: Permits limited broadcast (destination 255.255.255.255)
|
||||
to the zone.
|
||||
|
||||
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
|
||||
|
||||
6) Shorewall-perl now makes a compile-time check to insure that
|
||||
iptables-restore exists and is executable. This check is made when
|
||||
the compiler is being run by root and the -e option is not
|
||||
given.
|
||||
|
||||
Note that iptables-restore must reside in the same directory as the
|
||||
iptables executable specified by IPTABLES in shorewall.conf or
|
||||
located by the PATH in the event that IPTABLES is not specified.
|
||||
|
||||
7) When using Shorewall-perl, if an action was invoked with more than
|
||||
10 different combinations of log-levels/tags, some of those
|
||||
invocations with have incorrect logging.
|
||||
|
||||
8) Previously, when 'shorewall restore' was executed, the
|
||||
iptables-restore utility was always located using the PATH setting
|
||||
rather than the IPTABLES setting.
|
||||
|
||||
With Shorewall-perl, the IPTABLES setting is now used to locate
|
||||
this utility during 'restore' as it is during the processing of
|
||||
other commands.
|
||||
|
||||
9) Although the shorewall.conf manpage indicates that the value
|
||||
'internal' is allowed for TC_ENABLED, that value was previously
|
||||
rejected ('Internal' was accepted).
|
||||
|
||||
10) The meaning of the 'loose' provider option was accidentally reversed
|
||||
in Shorewall-perl. Rather than causing certain routing rules to be
|
||||
omitted when specified, it actually caused them to be added (these
|
||||
rules were omitted when the option was NOT specified).
|
||||
|
||||
11) If the 'bridge' option was specified on an interface but there were
|
||||
no bport zones, then traffic originating on the firewall was not
|
||||
passed through the accounting chain.
|
||||
|
||||
12) In commands such as:
|
||||
|
||||
shorewall compile <directory>
|
||||
shorewall restart <directory>
|
||||
shorewall check <directory>
|
||||
|
||||
if the name of the <directory> contained a period ("."), then
|
||||
Shorewall-perl would incorrectly substitute the current working
|
||||
directory for the name.
|
||||
|
||||
13) Previously, if the following sequence of routing rules was
|
||||
specified, then the first rule would always be omitted.
|
||||
|
||||
#SOURCE DEST PROVIDER PRIORITY
|
||||
$SRC_A $DESTIP1 ISP1 1000
|
||||
$SRC_A $DESTIP2 SOMEISP 1000
|
||||
$SRC_A - ISP2 1000
|
||||
|
||||
The reason for this omission was that Shorewall uses a
|
||||
delete-before-add approach and attempting to delete the third rule
|
||||
resulted in the deletion of the first one instead.
|
||||
|
||||
This problem occurred with both compilers.
|
||||
|
||||
14) When using Shorewall-shell, provider numbers were not recognized in
|
||||
the PROVIDER column of /etc/shorewall/route_rules.
|
||||
|
||||
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
|
||||
rejected in the MARK column of /etc/shorewall/tcclasses.
|
||||
|
||||
Other Changes in Shorewall 4.0.4
|
||||
|
||||
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
|
||||
is not a match at all but rather is a feature of recent versions of
|
||||
iptables that allows a particular match to be used multiple times
|
||||
within a single rule.
|
||||
destonly: Normally used with the Multi-cast range. Specifies that
|
||||
traffic will be sent to the specified net(s) but that
|
||||
no traffic will be received from the net(s).
|
||||
|
||||
Example:
|
||||
|
||||
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
|
||||
wifi eth1:192.168.3.0/24 broadcast
|
||||
wifi eth1:224.0.0.0/4 destonly
|
||||
|
||||
When using Shorewall-shell, the availability of 'Repeat Match' can
|
||||
speed up compilation very slightly.
|
||||
In that example, limited broadcasts from the firewall with a source
|
||||
IP in the 192.168.3.0/24 range will be acccepted as will multicasts
|
||||
(with any source address).
|
||||
|
||||
2) Apparently recent Fedora releases are broken. The
|
||||
following sequence of commands demonstrates the problem:
|
||||
2) A MULTICAST option has been added to shorewall.conf. This option
|
||||
will normally be set to 'No' (the default). It should be set to
|
||||
'Yes' under the following circumstances:
|
||||
|
||||
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
|
||||
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
|
||||
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
|
||||
a) You have an interface that has parallel zones defined via
|
||||
/etc/shorewall/hosts.
|
||||
b) You want to forward multicast packets to two or more of those
|
||||
parallel zones.
|
||||
|
||||
The third command should fail but doesn't; instead, it incorrectly
|
||||
removes the rule added by the first command.
|
||||
In such cases, you will configure a 'destonly' network on each
|
||||
zone receiving multicasts.
|
||||
|
||||
To work around this issue, you can set DELETE_THEN_ADD=No in
|
||||
shorewall.conf which prevents Shorewall from deleting ip rules
|
||||
before attempting to add a similar rule.
|
||||
The MULTICAST option is only recognized by Shorewall-perl and is
|
||||
ignored by Shorewall-shell.
|
||||
|
||||
3) When using Shorewall-perl, the following message is now issued if
|
||||
the 'detectnets' option is specified in /etc/shorewall/interfaces:
|
||||
|
||||
WARNING: Support for the 'detectnets' option will be removed from
|
||||
Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians
|
||||
|
||||
The 'detect' options has always been rather silly. On input, it
|
||||
duplicates the function of 'routefilter'. On output, it is a no-op
|
||||
since traffic that doesn't match a route out of an interface won't
|
||||
be sent through that interface (duh!).
|
||||
|
||||
Beginning with Shorewall 4.0.5, the warning message will read:
|
||||
3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl
|
||||
no longer supports the 'detectnets' option. Specifying that option
|
||||
now results in the following message:
|
||||
|
||||
WARNING: Support for the 'detectnets' option has been removed
|
||||
|
||||
It is suggested that 'detectnets' be replaced by
|
||||
'routefilter,logmartians'. That will produce the same filtering
|
||||
effect as 'detectnets' while eliminating 1-2 rules per connection.
|
||||
|
||||
One user has asked how to retain the output of 'shorewall show
|
||||
zones' if the 'detectnets' option is removed. While I don't advise
|
||||
doing so, you can reproduce the current 'shorewall show' behavior
|
||||
as follows.
|
||||
|
||||
Suppose that you have a zone named 'wifi' that produces the
|
||||
following output with 'detectnets':
|
||||
|
||||
wifi (ipv4)
|
||||
eth1:192.168.3.0/24
|
||||
|
||||
You can reproduce this behavior as follows:
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
- eth1 detect ...
|
||||
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
wifi eth1:192.168.3.0/24 broadcast
|
||||
|
||||
If you send multicast to the 'wifi' zone, you also need this entry
|
||||
in your hosts file:
|
||||
|
||||
wifi eth1:224.0.0.0/4 destonly
|
||||
|
||||
4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule
|
||||
may now be specified as a service name from
|
||||
/etc/services. Additionally:
|
||||
|
||||
a) A port-range may be specified as the service port expressed in
|
||||
the format <low port>-<high port>. Connections are assigned to
|
||||
server ports in round-robin fashion.
|
||||
|
||||
b) The compiler only permits a server port to be specified if the
|
||||
protocol is tcp or udp.
|
||||
|
||||
c) The compiler ensures that the server IP address is valid (note
|
||||
that it is still not permitted to specify the server address as a
|
||||
DNS name).
|
||||
|
||||
5) (Shorewall-perl only) Users are complaining that when they migrate
|
||||
to Shorewall-perl, they have to restrict their port lists to 15
|
||||
ports. In this release, we relax that restriction on destination
|
||||
port lists. Since the SOURCE PORT(s) column in the configuration
|
||||
files is rarely used, we have no plans to relax the restriction in
|
||||
that column.
|
||||
|
||||
6) There have been several cases where iptables-restore has failed
|
||||
while executing a COMMIT command in the .iptables_restore_input
|
||||
file. This gives neither the user nor Shorewall support much to go
|
||||
on when analyzing the problem. As a new debugging aid, the meaning
|
||||
of 'trace' and 'debug' have been changed.
|
||||
|
||||
Traditionally, /sbin/shorewall and /sbin/shorewall-lite have
|
||||
allowed either 'trace' or 'debug' as the first run-line
|
||||
parameter. Prior to 4.0.5, the two words produced the same effect.
|
||||
|
||||
Beginning with Shorewall 4.0.5, the two words have different
|
||||
effects when Shorewall-perl is used.
|
||||
|
||||
trace - Like the previous behavior.
|
||||
|
||||
In the Shorewall-perl compiler, generate a stack trace
|
||||
on WARNING and ERROR messages.
|
||||
|
||||
In the generated script, sets the shell's -x option to
|
||||
trace execution of the script.
|
||||
|
||||
debug - Ignored by the Shorewall-perl compiler.
|
||||
|
||||
In the generated script, causes the commands in
|
||||
.iptables_restore_input to be executed as discrete iptables
|
||||
commands. The failing command can thus be identified and a
|
||||
diagnosis of the cause can be made.
|
||||
|
||||
Users of Shorewall-lite will see the following change when using a
|
||||
script that was compiled with Shorewall-perl 4.0.5 or later.
|
||||
|
||||
trace - In the generated script, sets the shell's -x option to
|
||||
trace execution of the script.
|
||||
|
||||
debug - In the generated script, causes the commands in
|
||||
.iptables_restore_input to be executed as discrete iptables
|
||||
commands. The failing command can thus be identified and a
|
||||
diagnosis of the cause can be made.
|
||||
|
||||
In all other cases, 'debug' and 'trace' remain synonymous. In
|
||||
particular, users of Shorewall-shell will see no change in
|
||||
behavior.
|
||||
|
||||
WARNING: The 'debug' feature in Shorewall-perl is strictly for
|
||||
problem analysis. When 'debug' is used:
|
||||
|
||||
a) The firewall is made 'wide open' before the rules are applied.
|
||||
b) The routestopped file is not consulted and the rules are applied
|
||||
in the canonical iptables-restore order (ASCIIbetical by chain).
|
||||
So if you need critical hosts to be always available during
|
||||
start/restart, you may not be able to use 'debug'.
|
||||
|
||||
7) /usr/share/shorewall-perl/buildports.pl,
|
||||
/usr/share/shorewall-perl/FallbackPorts.pm and
|
||||
/usr/share/shorewall-perl/Shorewall/Ports.pm have been removed.
|
||||
|
||||
Shorewall now resolves protocol and port names as using Perl's
|
||||
interface to the the standard C library APIs getprotobyname() and
|
||||
getservbyname().
|
||||
|
||||
Note 1:
|
||||
|
||||
The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL',
|
||||
'icmp' and 'ICMP' are still resolved by Shorewall-perl
|
||||
itself.
|
||||
|
||||
Note 2:
|
||||
|
||||
Those of you running Shorewall-perl under Cygwin may wish to
|
||||
install "real" /etc/protocols and /etc/services files
|
||||
in place of the symbolic links installed by Cygwin.
|
||||
|
||||
8) The contents of the Shorewall::*::$VERSION variables are now a
|
||||
V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is
|
||||
only of interest for Perl programs that are using the modules and
|
||||
specifying a minimum version (e.g., "use Shorewall::Config
|
||||
4.0.5;"). Each module continues to carry a separate version which
|
||||
indicates the release of Shorewall-perl when the module was last
|
||||
modified.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
1) Beginning with Shorewall 4.0.0, there is no single 'shorewall'
|
||||
@ -334,15 +387,10 @@ Migration Considerations:
|
||||
|
||||
This capability is in current distributions.
|
||||
|
||||
b) Now that Netfilter has features to deal reasonably with port lists,
|
||||
I see no reason to duplicate those features in Shorewall. The
|
||||
Bourne-shell compiler goes to great pain (in some cases) to
|
||||
break very long port lists ( > 15 where port ranges in lists
|
||||
count as two ports) into individual rules. In the new compiler, I'm
|
||||
avoiding the ugliness required to do that. The new compiler just
|
||||
generates an error if your list is too long. It will also produce
|
||||
an error if you insert a port range into a port list and you don't
|
||||
have extended multiport support.
|
||||
b) Shorewall-perl does not attempt to break up SOURCE PORT(s) lists
|
||||
longer than 15 ports (where a port range counts as two
|
||||
ports). It also doesn't permit port ranges in a port list unless
|
||||
the kernel and iptables support Extended Multiport Match.
|
||||
|
||||
c) The old BRIDGING=Yes support has been replaced by new bridge
|
||||
support that uses the reduced 'physdev match' capabilities found
|
||||
@ -439,7 +487,7 @@ Migration Considerations:
|
||||
|
||||
- Otherwise, the rule is added to accounting only.
|
||||
|
||||
See http://www.shorewall.net/4.0/bridge-Shorewall-perl.html for
|
||||
See http://www.shorewall.net/bridge-Shorewall-perl.html for
|
||||
additional information about the new bridge support.
|
||||
|
||||
d) The BROADCAST column in the interfaces file is essentially unused;
|
||||
@ -478,13 +526,20 @@ Migration Considerations:
|
||||
|
||||
To add a rule to the chain:
|
||||
|
||||
add_rule( $chainref, <the rule> );
|
||||
add_rule( $chainref, <the rule> [, <expand-dports> ] );
|
||||
|
||||
Where
|
||||
|
||||
<the rule> is a scalar argument holding the rule text. Do
|
||||
not include "-A <chain name>"
|
||||
|
||||
<expand-dports> is optional. If <expand-dports> is
|
||||
present and evaluates to True and if <the rule> contains
|
||||
a --dports list with more than 15 ports listed (each port
|
||||
range counts as two ports), then add_rule() will break
|
||||
<the rule> into multiple rules, each having 15 or fewer
|
||||
ports in its --dports list.
|
||||
|
||||
Example:
|
||||
|
||||
add_rule( $chainref, '-j ACCEPT' );
|
||||
@ -525,11 +580,11 @@ Migration Considerations:
|
||||
|
||||
my $chainref = $chain_table{'filter'}{'INPUT'};
|
||||
|
||||
The continue script is eliminated. That script was designed to
|
||||
The 'continue' script is eliminated. That script was designed to
|
||||
allow you to add special rules during [re]start. Shorewall-perl
|
||||
doesn't need such rules.
|
||||
|
||||
See http://www.shorewall.net/4.0/shorewall_extension_scripts.htm
|
||||
See http://www.shorewall.net/shorewall_extension_scripts.htm
|
||||
for further information about extension scripts under
|
||||
Shorewall-perl.
|
||||
|
||||
@ -973,30 +1028,7 @@ Migration Considerations:
|
||||
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
|
||||
classes generated by /etc/shorewall/tcclasses.
|
||||
|
||||
10) During installation, Shorewall generates the Perl module
|
||||
/usr/share/shorewall-perl/Shorewall/Ports.pm, using your
|
||||
/etc/protocols and /etc/services as input.
|
||||
|
||||
To re-generate the module from those two files:
|
||||
|
||||
1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
file.
|
||||
2. /usr/share/shorewall-perl/buildports.pl > \
|
||||
/usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
|
||||
Note: If the buildports.pl program fails to run to a successful
|
||||
completion during installation, a fallback version of
|
||||
module will be installed. That fallback module was generated from
|
||||
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
|
||||
Fawn.
|
||||
|
||||
Even if the buildports.pl program runs successfully, the fallback
|
||||
module is also installed as
|
||||
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
|
||||
encounter problems with the generated module, simply copy the
|
||||
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
|
||||
|
||||
11) Tuomo Soini has contributed bi-directional macros for various
|
||||
10) Tuomo Soini has contributed bi-directional macros for various
|
||||
tunnel types:
|
||||
|
||||
IPsecah
|
||||
@ -1006,13 +1038,13 @@ Migration Considerations:
|
||||
IPsecnat
|
||||
L2TP
|
||||
|
||||
12) The -f option is no longer the default when Shorewall is started at
|
||||
11) The -f option is no longer the default when Shorewall is started at
|
||||
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
|
||||
"shorewall start" is nearly as fast as "shorewall restore" and
|
||||
"shorewall start" uses the current configuration which avoids
|
||||
confusion.
|
||||
|
||||
13) The implementation of LITEDIR has always been
|
||||
12) The implementation of LITEDIR has always been
|
||||
unsatisfactory. Furthermore, there have been other cases where
|
||||
people have asked to be able to designate the state directory
|
||||
(default /var/lib/shorewall[-lite]).
|
||||
@ -1435,3 +1467,149 @@ Other Changes in 4.0.3
|
||||
|
||||
This feature requires Shorewall-perl 4.0.3 as well as
|
||||
Shorewall-common 4.0.3.
|
||||
|
||||
Problems Corrected in Shorewall 4.0.4
|
||||
|
||||
1) If no interface had the 'blacklist' option, then when using
|
||||
Shorewall-perl, the 'start' and 'restart' command failed:
|
||||
|
||||
ERROR: No filter chain found with name blacklst
|
||||
|
||||
New Shorewall-perl 4.0.3 packages were released that corrected this
|
||||
problem; it is included here for completeness.
|
||||
|
||||
2) If no interface had the 'blacklist' option, then when using
|
||||
Shorewall-perl, the generated script would issue this harmless
|
||||
message during 'shorewall refresh':
|
||||
|
||||
chainlist_reload: Not found
|
||||
|
||||
3) If /bin/sh was a light-weight shell such as ash or dash, then
|
||||
'shorewall refresh' failed.
|
||||
|
||||
4) During start/restart, the script generated by Shorewall-perl was
|
||||
clearing the proxy_arp flag on all interfaces; that is not the
|
||||
documented behavior.
|
||||
|
||||
5) If the module-init-tools package was not installed and
|
||||
/etc/shorewall/modules did not exist or was non-empty, then
|
||||
Shorewall-perl would fail with the message:
|
||||
|
||||
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
|
||||
|
||||
6) Shorewall-perl now makes a compile-time check to insure that
|
||||
iptables-restore exists and is executable. This check is made when
|
||||
the compiler is being run by root and the -e option is not
|
||||
given.
|
||||
|
||||
Note that iptables-restore must reside in the same directory as the
|
||||
iptables executable specified by IPTABLES in shorewall.conf or
|
||||
located by the PATH in the event that IPTABLES is not specified.
|
||||
|
||||
7) When using Shorewall-perl, if an action was invoked with more than
|
||||
10 different combinations of log-levels/tags, some of those
|
||||
invocations would have incorrect logging.
|
||||
|
||||
8) Previously, when 'shorewall restore' was executed, the
|
||||
iptables-restore utility was always located using the PATH setting
|
||||
rather than the IPTABLES setting.
|
||||
|
||||
With Shorewall-perl, the IPTABLES setting is now used to locate
|
||||
this utility during 'restore' as it is during the processing of
|
||||
other commands.
|
||||
|
||||
9) Although the shorewall.conf manpage indicates that the value
|
||||
'internal' is allowed for TC_ENABLED, that value was previously
|
||||
rejected ('Internal' was accepted).
|
||||
|
||||
10) The meaning of the 'loose' provider option was accidentally reversed
|
||||
in Shorewall-perl. Rather than causing certain routing rules to be
|
||||
omitted when specified, it actually caused them to be added (these
|
||||
rules were omitted when the option was NOT specified).
|
||||
|
||||
11) If the 'bridge' option was specified on an interface but there were
|
||||
no bport zones, then traffic originating on the firewall was not
|
||||
passed through the accounting chain.
|
||||
|
||||
12) In commands such as:
|
||||
|
||||
shorewall compile <directory>
|
||||
shorewall restart <directory>
|
||||
shorewall check <directory>
|
||||
|
||||
if the name of the <directory> contained a period ("."), then
|
||||
Shorewall-perl would incorrectly substitute the current working
|
||||
directory for the name.
|
||||
|
||||
13) Previously, if the following sequence of routing rules was
|
||||
specified, then the first rule would always be omitted.
|
||||
|
||||
#SOURCE DEST PROVIDER PRIORITY
|
||||
$SRC_A $DESTIP1 ISP1 1000
|
||||
$SRC_A $DESTIP2 SOMEISP 1000
|
||||
$SRC_A - ISP2 1000
|
||||
|
||||
The reason for this omission was that Shorewall uses a
|
||||
delete-before-add approach and attempting to delete the third rule
|
||||
resulted in the deletion of the first one instead.
|
||||
|
||||
This problem occurred with both compilers.
|
||||
|
||||
14) When using Shorewall-shell, provider numbers were not recognized in
|
||||
the PROVIDER column of /etc/shorewall/route_rules.
|
||||
|
||||
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
|
||||
rejected in the MARK column of /etc/shorewall/tcclasses.
|
||||
|
||||
16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a
|
||||
multiple of 256. That restriction was being enforced by
|
||||
Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
|
||||
enforces this restriction.
|
||||
|
||||
17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
|
||||
failed with an "Unknown interface" error when using Shorewall-perl.
|
||||
|
||||
Other Changes in Shorewall 4.0.4
|
||||
|
||||
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
|
||||
is not a match at all but rather is a feature of recent versions of
|
||||
iptables that allows a particular match to be used multiple times
|
||||
within a single rule.
|
||||
|
||||
Example:
|
||||
|
||||
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
|
||||
|
||||
When using Shorewall-shell, the availability of 'Repeat Match' can
|
||||
speed up compilation very slightly.
|
||||
|
||||
2) Apparently recent Fedora releases are broken. The
|
||||
following sequence of commands demonstrates the problem:
|
||||
|
||||
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
|
||||
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
|
||||
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
|
||||
|
||||
The third command should fail but doesn't; instead, it incorrectly
|
||||
removes the rule added by the first command.
|
||||
|
||||
To work around this issue, you can set DELETE_THEN_ADD=No in
|
||||
shorewall.conf which prevents Shorewall from deleting ip rules
|
||||
before attempting to add a similar rule.
|
||||
|
||||
3) When using Shorewall-perl, the following message is now issued if
|
||||
the 'detectnets' option is specified in /etc/shorewall/interfaces:
|
||||
|
||||
WARNING: Support for the 'detectnets' option will be removed from
|
||||
Shorewall-perl in version 4.0.5; better to use 'routefilter' and
|
||||
'logmartians
|
||||
|
||||
The 'detect' options has always been rather silly. On input, it
|
||||
duplicates the function of 'routefilter'. On output, it is a no-op
|
||||
since traffic that doesn't match a route out of an interface won't
|
||||
be sent through that interface (duh!).
|
||||
|
||||
Beginning with Shorewall 4.0.5, the warning message will read:
|
||||
|
||||
WARNING: Support for the 'detectnets' option has been removed
|
||||
|
||||
|
@ -118,6 +118,11 @@
|
||||
#
|
||||
# Set the configuration variables from shorewall.conf
|
||||
#
|
||||
# $1 = Yes: read the params file
|
||||
# $2 = Yes: check for STARTUP_ENABLED
|
||||
# $3 = Yes: Check for LOGFILE
|
||||
#
|
||||
#
|
||||
get_config() {
|
||||
|
||||
ensure_config_path
|
||||
@ -286,23 +291,16 @@ compiler() {
|
||||
# Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER
|
||||
#
|
||||
if [ -n "$SHOREWALL_DIR" ]; then
|
||||
shell=$SHOREWALL_SHELL
|
||||
|
||||
[ -x $pc ] && set -a
|
||||
run_user_exit params
|
||||
set +a
|
||||
haveparams=Yes
|
||||
|
||||
config=$(find_file shorewall.conf)
|
||||
get_config No No No
|
||||
|
||||
if [ -f $config ]; then
|
||||
if [ -r $config ]; then
|
||||
progress_message "Processing $config..."
|
||||
. $config
|
||||
else
|
||||
startup_error "Cannot read $config (Hint: Are you root?)"
|
||||
fi
|
||||
else
|
||||
startup_error "$config does not exist!"
|
||||
fi
|
||||
SHOREWALL_SHELL=$shell
|
||||
fi
|
||||
#
|
||||
# And initiate the appropriate compiler
|
||||
@ -326,7 +324,7 @@ compiler() {
|
||||
|
||||
# Perl compiler only takes the output file as a argument
|
||||
|
||||
[ "$1" = debug ] && shift;
|
||||
[ "$1" = debug -o "$1" = trace ] && shift;
|
||||
[ "$1" = nolock ] && shift;
|
||||
shift
|
||||
|
||||
@ -334,7 +332,7 @@ compiler() {
|
||||
[ -n "$EXPORT" ] && options="$options --export "
|
||||
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "
|
||||
[ -n "$TIMESTAMP" ] && options="$options --timestamp "
|
||||
[ -n "$debugging" ] && options="$options --debug "
|
||||
[ "$debugging" = trace ] && options="$options --debug "
|
||||
[ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS"
|
||||
[ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed"
|
||||
#
|
||||
@ -1318,7 +1316,7 @@ usage() # $1 = exit status
|
||||
debugging=
|
||||
|
||||
if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
|
||||
debugging=debug
|
||||
debugging=$1
|
||||
shift
|
||||
fi
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-common
|
||||
%define version 4.0.4
|
||||
%define version 4.0.5
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -240,6 +240,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
|
||||
|
||||
%changelog
|
||||
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.5-1
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
|
@ -169,6 +169,8 @@ KEEP_RT_TABLES=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
MULTICAST=No
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1 +1 @@
|
||||
This is the Shorewall-lite Development 4.0 branch of SVN.
|
||||
This is the Shorewall-lite Stable 4.0 branch of SVN.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -383,7 +383,7 @@ usage() # $1 = exit status
|
||||
debugging=
|
||||
|
||||
if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
|
||||
debugging=debug
|
||||
debugging=$1
|
||||
shift
|
||||
fi
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.0.4
|
||||
%define version 4.0.5
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
@ -98,6 +98,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.5-1
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,2 +1,2 @@
|
||||
This is the Shorewall-perl Development 4.0 branch of SVN.
|
||||
This is the Shorewall-perl Stable 4.0 branch of SVN.
|
||||
|
||||
|
@ -35,7 +35,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_accounting );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = 4.0.3;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
|
@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
|
||||
%macros
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.4;
|
||||
|
||||
#
|
||||
# Used Actions. Each action that is actually used has an entry with value 1.
|
||||
|
@ -28,7 +28,6 @@ package Shorewall::Chains;
|
||||
require Exporter;
|
||||
|
||||
use Shorewall::Config;
|
||||
use Shorewall::Ports;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::IPAddrs;
|
||||
|
||||
@ -88,6 +87,7 @@ our @EXPORT = qw( STANDARD
|
||||
setup_zone_mss
|
||||
newexclusionchain
|
||||
clearrule
|
||||
validate_portrange
|
||||
do_proto
|
||||
mac_match
|
||||
verify_mark
|
||||
@ -126,7 +126,7 @@ our @EXPORT = qw( STANDARD
|
||||
%targets
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.5;
|
||||
|
||||
#
|
||||
# Chain Table
|
||||
@ -135,7 +135,8 @@ our $VERSION = '4.04';
|
||||
# table => <table name>
|
||||
# is_policy => 0|1
|
||||
# is_optional => 0|1
|
||||
# referenced => 0|1
|
||||
# referenced => 0|1 -- If 1, will be written to the iptables-restore-input.
|
||||
# builtin => 0|1 -- If 1, one of Netfilter's built-in chains.
|
||||
# log => <logging rule number for use when LOGRULENUMBERS>
|
||||
# policy => <policy>
|
||||
# policychain => <name of policy chain> -- self-reference if this is a policy chain
|
||||
@ -370,17 +371,9 @@ sub mark_referenced( $ ) {
|
||||
$_[0]->{referenced} = 1;
|
||||
}
|
||||
|
||||
#
|
||||
# Add a rule to a chain. Arguments are:
|
||||
#
|
||||
# Chain reference , Rule
|
||||
#
|
||||
sub add_rule($$)
|
||||
{
|
||||
sub push_rule( $$ ) {
|
||||
my ($chainref, $rule) = @_;
|
||||
|
||||
$iprangematch = 0;
|
||||
|
||||
$rule .= qq( -m comment --comment "$comment") if $comment;
|
||||
|
||||
if ( $chainref->{cmdlevel} ) {
|
||||
@ -392,6 +385,63 @@ sub add_rule($$)
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add a rule to a chain. Arguments are:
|
||||
#
|
||||
# Chain reference , Rule [, Expand-long-dest-port-lists ]
|
||||
#
|
||||
sub add_rule($$;$)
|
||||
{
|
||||
my ($chainref, $rule, $expandports) = @_;
|
||||
|
||||
$iprangematch = 0;
|
||||
#
|
||||
# Pre-processing the port lists as was done in Shorewall-shell results in port-list
|
||||
# processing driving the rest of rule generation.
|
||||
#
|
||||
# By post-processing each rule generated by expand_rule(), we avoid all of that
|
||||
# messiness and replace it with the following localized messiness.
|
||||
#
|
||||
# Because source ports are seldom specified and source port lists are rarer still,
|
||||
# we only worry about the destination ports.
|
||||
#
|
||||
if ( $expandports && $rule =~ '^(.* --dports\s+)([^ ]+)(.*)$' ) {
|
||||
my ($first, $ports, $rest) = ( $1, $2, $3 );
|
||||
|
||||
if ( ( $ports =~ tr/:,/:,/ ) > 15 ) {
|
||||
my @ports = split '([,:])', $ports;
|
||||
|
||||
while ( @ports ) {
|
||||
my $count = 0;
|
||||
my $newports = '';
|
||||
|
||||
while ( @ports && $count < 15 ) {
|
||||
my ($port, $separator) = ( shift @ports, shift @ports );
|
||||
|
||||
$separator ||= '';
|
||||
|
||||
if ( ++$count == 15 ) {
|
||||
if ( $separator eq ':' ) {
|
||||
unshift @ports, $port, ':';
|
||||
last;
|
||||
} else {
|
||||
$newports .= $port;
|
||||
}
|
||||
} else {
|
||||
$newports .= "${port}${separator}";
|
||||
}
|
||||
}
|
||||
|
||||
push_rule ( $chainref, join( '', $first, $newports, $rest ) );
|
||||
}
|
||||
} else {
|
||||
push_rule ( $chainref, $rule );
|
||||
}
|
||||
} else {
|
||||
push_rule ( $chainref, $rule );
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Insert a rule into a chain. Arguments are:
|
||||
#
|
||||
@ -503,7 +553,7 @@ sub dynamic_chains( $ ) #$1 = interface
|
||||
{
|
||||
my $c = chain_base_cond($_[0]);
|
||||
|
||||
[ $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ];
|
||||
( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' );
|
||||
}
|
||||
|
||||
#
|
||||
@ -537,7 +587,7 @@ sub first_chains( $ ) #$1 = interface
|
||||
{
|
||||
my $c = chain_base_cond($_[0]);
|
||||
|
||||
[ $c . '_fwd', $c . '_in' ];
|
||||
( $c . '_fwd', $c . '_in' );
|
||||
}
|
||||
|
||||
#
|
||||
@ -759,36 +809,57 @@ sub clearrule() {
|
||||
$iprangematch = 0;
|
||||
}
|
||||
|
||||
sub validate_proto( $ ) {
|
||||
#
|
||||
# Resolve the contents of the PROTO column.
|
||||
#
|
||||
|
||||
our %nametoproto = ( all => 0, ALL => 0, icmp => 1, ICMP => 1, tcp => 6, TCP => 6, udp => 17, UDP => 17 );
|
||||
our @prototoname = ( 'all', 'icmp', '', '', '', '', 'tcp', '', '', '', '', '', '', '', '', '', '', 'udp' );
|
||||
|
||||
#
|
||||
# Returns the protocol number if the passed argument is a valid protocol number or name. Returns undef otherwise
|
||||
#
|
||||
sub resolve_proto( $ ) {
|
||||
my $proto = $_[0];
|
||||
my $value = $protocols{$proto};
|
||||
return $value if defined $value;
|
||||
return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535;
|
||||
return $proto if $proto eq 'all';
|
||||
fatal_error "Invalid/Unknown protocol ($proto)";
|
||||
my $number;
|
||||
|
||||
$proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
|
||||
}
|
||||
|
||||
sub validate_portpair( $ ) {
|
||||
my $portpair = $_[0];
|
||||
sub proto_name( $ ) {
|
||||
my $proto = $_[0];
|
||||
|
||||
$proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
|
||||
}
|
||||
|
||||
sub validate_port( $$ ) {
|
||||
my ($proto, $port) = @_;
|
||||
|
||||
my $value;
|
||||
|
||||
if ( $port =~ /^(\d+)$/ ) {
|
||||
return $port if $port <= 65535;
|
||||
} else {
|
||||
$proto = getprotobyname $proto if $proto =~ /^(\d+)$/;
|
||||
$value = getservbyname( $port, $proto );
|
||||
}
|
||||
|
||||
fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
|
||||
|
||||
$value;
|
||||
}
|
||||
|
||||
sub validate_portpair( $$ ) {
|
||||
my ($proto, $portpair) = @_;
|
||||
|
||||
fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
|
||||
|
||||
$portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':';
|
||||
$portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
|
||||
|
||||
my @ports = split/:/, $portpair, 2;
|
||||
my @ports = split /:/, $portpair, 2;
|
||||
|
||||
for my $port ( @ports ) {
|
||||
my $value = $services{$port};
|
||||
|
||||
unless ( defined $value ) {
|
||||
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
|
||||
}
|
||||
|
||||
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
|
||||
|
||||
$port = $value;
|
||||
}
|
||||
$_ = validate_port( $proto, $_) for ( @ports );
|
||||
|
||||
if ( @ports == 2 ) {
|
||||
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
|
||||
@ -798,17 +869,38 @@ sub validate_portpair( $ ) {
|
||||
|
||||
}
|
||||
|
||||
sub validate_port_list( $ ) {
|
||||
sub validate_portrange( $$ ) {
|
||||
my ($proto, $portpair) = @_;
|
||||
|
||||
if ( $portpair =~ tr/-/-/ > 1 || substr( $portpair, 0, 1 ) eq '-' || substr( $portpair, -1, 1 ) eq '-' ) {
|
||||
fatal_error "Invalid port range ($portpair)";
|
||||
}
|
||||
|
||||
my @ports = split /-/, $portpair, 2;
|
||||
|
||||
$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
|
||||
|
||||
if ( @ports == 2 ) {
|
||||
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
|
||||
}
|
||||
|
||||
join '-', @ports;
|
||||
|
||||
}
|
||||
|
||||
sub validate_port_list( $$ ) {
|
||||
my $result = '';
|
||||
my $list = $_[0];
|
||||
my ( $proto, $list ) = @_;
|
||||
my @list = split/,/, $list;
|
||||
|
||||
if ( @list > 1 && $list =~ /:/ ) {
|
||||
require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
|
||||
}
|
||||
|
||||
$proto = proto_name $proto;
|
||||
|
||||
for ( @list ) {
|
||||
my $value = validate_portpair( $_ );
|
||||
my $value = validate_portpair( $proto , $_ );
|
||||
$result = $result ? join ',', $result, $value : $value;
|
||||
}
|
||||
|
||||
@ -886,27 +978,41 @@ sub do_proto( $$$ )
|
||||
$ports = '' if $ports eq '-';
|
||||
$sports = '' if $sports eq '-';
|
||||
|
||||
if ( $proto ) {
|
||||
if ( $proto =~ /^(((tcp|6)((:syn)?))|(udp|17))$/ ) {
|
||||
if ( $proto ne '' ) {
|
||||
|
||||
if ( $4 ) {
|
||||
$output = '-p 6 --syn ';
|
||||
} else {
|
||||
$proto = $protocols{$proto} if defined $protocols{$proto};
|
||||
my $synonly = ( $proto =~ s/:syn$//i );
|
||||
|
||||
my $protonum = resolve_proto $proto;
|
||||
|
||||
if ( defined $protonum ) {
|
||||
#
|
||||
# Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent
|
||||
#
|
||||
my $pname = proto_name( $proto = $protonum );
|
||||
#
|
||||
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
|
||||
#
|
||||
unless ( $synonly ) {
|
||||
$output = "-p $proto ";
|
||||
} else {
|
||||
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP;
|
||||
$output = "-p $proto --syn ";
|
||||
}
|
||||
|
||||
PROTO:
|
||||
{
|
||||
|
||||
if ( $proto == TCP || $proto == UDP ) {
|
||||
my $multiport = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
|
||||
fatal_error "Port list requires Multiport support in your kernel/iptables ($ports)" unless $capabilities{MULTIPORT};
|
||||
fatal_error "Too many entries in port list ($ports)" if port_count( $ports ) > 15;
|
||||
$ports = validate_port_list $ports;
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
$output .= "-m multiport --dports $ports ";
|
||||
$multiport = 1;
|
||||
} else {
|
||||
$ports = validate_portpair $ports;
|
||||
$ports = validate_portpair $pname , $ports;
|
||||
$output .= "--dport $ports ";
|
||||
}
|
||||
} else {
|
||||
@ -915,36 +1021,50 @@ sub do_proto( $$$ )
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
if ( $multiport ) {
|
||||
fatal_error "Too many entries in port list ($sports)" if port_count( $sports ) > 15;
|
||||
$sports = validate_port_list $sports;
|
||||
fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15;
|
||||
$sports = validate_port_list $pname , $sports;
|
||||
$output .= "-m multiport --sports $sports ";
|
||||
} else {
|
||||
$sports = validate_portpair $sports;
|
||||
$sports = validate_portpair $pname , $sports;
|
||||
$output .= "--sport $sports ";
|
||||
}
|
||||
}
|
||||
} elsif ( $proto =~ /^(icmp|1)$/i ) {
|
||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
||||
$output .= "-p icmp ";
|
||||
|
||||
last PROTO; }
|
||||
|
||||
if ( $proto == ICMP ) {
|
||||
if ( $ports ne '' ) {
|
||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
||||
$ports = validate_icmp $ports;
|
||||
$output .= "--icmp-type $ports ";
|
||||
}
|
||||
|
||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
||||
} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
|
||||
require_capability( 'IPP2P_MATCH' , 'PROTO = ipp2p' , 's' );
|
||||
$proto = $2 ? $3 : 'tcp';
|
||||
$ports = 'ipp2p' unless $ports;
|
||||
$output .= "-p $proto -m ipp2p --$ports ";
|
||||
|
||||
last PROTO; }
|
||||
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
|
||||
|
||||
} # PROTO
|
||||
|
||||
} else {
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto" if $ports ne '' || $sports ne '';
|
||||
$proto = validate_proto $proto;
|
||||
$output .= "-p $proto ";
|
||||
fatal_error '":syn" is only allowed with tcp' if $synonly;
|
||||
|
||||
if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
|
||||
my $p = $2 ? lc $3 : 'tcp';
|
||||
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
|
||||
$proto = "-p $nametoproto{$p} ";
|
||||
$ports = 'ipp2p' unless $ports;
|
||||
$output .= "${proto}-m ipp2p --$ports ";
|
||||
} else {
|
||||
fatal_error "Invalid/Unknown protocol ($proto)"
|
||||
}
|
||||
} elsif ( $ports ne '' || $sports ne '' ) {
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO"
|
||||
}
|
||||
} else {
|
||||
#
|
||||
# No protocol
|
||||
#
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
|
||||
}
|
||||
|
||||
$output;
|
||||
@ -1251,6 +1371,8 @@ sub log_rule_limit( $$$$$$$$ ) {
|
||||
|
||||
return 1 if $level eq '';
|
||||
|
||||
$predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' ';
|
||||
|
||||
unless ( $predicates =~ /-m limit / ) {
|
||||
$limit = $globals{LOGLIMIT} unless $limit && $limit ne '-';
|
||||
$predicates .= $limit if $limit;
|
||||
@ -1284,10 +1406,8 @@ sub log_rule_limit( $$$$$$$$ ) {
|
||||
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
|
||||
}
|
||||
|
||||
$predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' ';
|
||||
|
||||
if ( $command eq 'add' ) {
|
||||
add_rule ( $chainref, $predicates . $prefix );
|
||||
add_rule ( $chainref, $predicates . $prefix , 1 );
|
||||
} else {
|
||||
insert_rule ( $chainref , 1 , $predicates . $prefix );
|
||||
}
|
||||
@ -1702,7 +1822,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
#
|
||||
# We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
|
||||
#
|
||||
add_rule $chainref, join( '', $rule, match_source_net( $inet), match_dest_net( $dnet ), $onet, "-j $echain" );
|
||||
add_rule( $chainref, join( '', $rule, match_source_net( $inet), match_dest_net( $dnet ), $onet, "-j $echain" ), 1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1725,7 +1845,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
#
|
||||
# Generate Final Rule
|
||||
#
|
||||
add_rule( $echainref, $exceptionrule . $target ) unless $disposition eq 'LOG';
|
||||
add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
|
||||
} else {
|
||||
#
|
||||
# No exclusions
|
||||
@ -1750,9 +1870,10 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
}
|
||||
|
||||
unless ( $disposition eq 'LOG' ) {
|
||||
add_rule
|
||||
add_rule(
|
||||
$chainref,
|
||||
join( '', $rule, match_source_net ($inet), match_dest_net( $dnet ), $onet, $target );
|
||||
join( '', $rule, match_source_net ($inet), match_dest_net( $dnet ), $onet, $target ) ,
|
||||
1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1968,9 +2089,11 @@ sub create_netfilter_load() {
|
||||
#
|
||||
emit( 'exec 3>&-',
|
||||
'',
|
||||
'progress_message2 "Running iptables-restore..."',
|
||||
'[ -n "$DEBUG" ] && command=debug_restore_input || command=$IPTABLES_RESTORE',
|
||||
'',
|
||||
'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
|
||||
'progress_message2 "Running $command..."',
|
||||
'',
|
||||
'cat ${VARDIR}/.iptables-restore-input | $command # Use this nonsensical form to appease SELinux',
|
||||
'if [ $? != 0 ]; then',
|
||||
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
|
||||
"fi\n"
|
||||
|
@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
|
||||
our @EXPORT_OK = qw( $export );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.4;
|
||||
|
||||
our $export;
|
||||
|
||||
@ -485,11 +485,12 @@ EOF
|
||||
# parsing routines that are called directly out of 'compiler()'.
|
||||
#
|
||||
# We create two separate functions rather than one so that the
|
||||
# define_firewall() shell can set global IP configuration variables
|
||||
# define_firewall() shell function can set global IP configuration variables
|
||||
# after the old config has been cleared and before we start instantiating
|
||||
# the new config. That way, the variables reflect the way that the
|
||||
# distribution's tools have configured IP without any Shorewall
|
||||
# modifications.
|
||||
# modifications and the firewall configuration is the same after
|
||||
# 'restart' as it is after 'start'.
|
||||
#
|
||||
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
|
||||
# than those related to writing to the object file.
|
||||
|
@ -94,7 +94,7 @@ our @EXPORT = qw(
|
||||
%capabilities );
|
||||
|
||||
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.5;
|
||||
|
||||
#
|
||||
# describe the current command, it's present progressive, and it's completion.
|
||||
@ -230,7 +230,7 @@ sub initialize() {
|
||||
ORIGINAL_POLICY_MATCH => '',
|
||||
LOGPARMS => '',
|
||||
TC_SCRIPT => '',
|
||||
VERSION => '4.0.4',
|
||||
VERSION => '4.0.5',
|
||||
CAPVERSION => 40003 ,
|
||||
);
|
||||
#
|
||||
@ -552,8 +552,14 @@ sub copy( $ ) {
|
||||
open IF , $file or fatal_error "Unable to open $file: $!";
|
||||
|
||||
while ( <IF> ) {
|
||||
if ( /^\s*$/ ) {
|
||||
print $object "\n" unless $lastlineblank;
|
||||
$lastlineblank = 1;
|
||||
} else {
|
||||
s/^/$indent/ if $indent;
|
||||
print $object $_;
|
||||
$lastlineblank = 0;
|
||||
}
|
||||
}
|
||||
|
||||
close IF;
|
||||
@ -1468,7 +1474,7 @@ sub get_configuration( $ ) {
|
||||
default_yes_no 'EXPAND_POLICIES' , '';
|
||||
default_yes_no 'KEEP_RT_TABLES' , '';
|
||||
default_yes_no 'DELETE_THEN_ADD' , 'Yes';
|
||||
default_yes_no 'MULTICAST ' , '';
|
||||
default_yes_no 'MULTICAST' , '';
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
|
||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||
|
@ -1,518 +0,0 @@
|
||||
#
|
||||
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module exports the %protocols and %services hashes built from
|
||||
# /etc/protocols and /etc/services respectively.
|
||||
#
|
||||
# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007
|
||||
#
|
||||
package Shorewall::Ports;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( %protocols %services );
|
||||
our @EXPORT_OK = qw();
|
||||
our $VERSION = '4.00';
|
||||
|
||||
our %protocols = (
|
||||
ip => 0,
|
||||
IP => 0,
|
||||
icmp => 1,
|
||||
ICMP => 1,
|
||||
igmp => 2,
|
||||
IGMP => 2,
|
||||
ggp => 3,
|
||||
GGP => 3,
|
||||
ipencap => 4,
|
||||
'IP-ENCAP' => 4,
|
||||
st => 5,
|
||||
ST => 5,
|
||||
tcp => 6,
|
||||
TCP => 6,
|
||||
egp => 8,
|
||||
EGP => 8,
|
||||
igp => 9,
|
||||
IGP => 9,
|
||||
pup => 12,
|
||||
PUP => 12,
|
||||
udp => 17,
|
||||
UDP => 17,
|
||||
hmp => 20,
|
||||
HMP => 20,
|
||||
'xns-idp' => 22,
|
||||
'XNS-IDP' => 22,
|
||||
rdp => 27,
|
||||
RDP => 27,
|
||||
'iso-tp4' => 29,
|
||||
'ISO-TP4' => 29,
|
||||
xtp => 36,
|
||||
XTP => 36,
|
||||
ddp => 37,
|
||||
DDP => 37,
|
||||
'idpr-cmtp' => 38,
|
||||
'IDPR-CMTP' => 38,
|
||||
ipv6 => 41,
|
||||
IPv6 => 41,
|
||||
'ipv6-route' => 43,
|
||||
'IPv6-Route' => 43,
|
||||
'ipv6-frag' => 44,
|
||||
'IPv6-Frag' => 44,
|
||||
idrp => 45,
|
||||
IDRP => 45,
|
||||
rsvp => 46,
|
||||
RSVP => 46,
|
||||
gre => 47,
|
||||
GRE => 47,
|
||||
esp => 50,
|
||||
'IPSEC-ESP' => 50,
|
||||
ah => 51,
|
||||
'IPSEC-AH' => 51,
|
||||
skip => 57,
|
||||
SKIP => 57,
|
||||
'ipv6-icmp' => 58,
|
||||
'IPv6-ICMP' => 58,
|
||||
'ipv6-nonxt' => 59,
|
||||
'IPv6-NoNxt' => 59,
|
||||
'ipv6-opts' => 60,
|
||||
'IPv6-Opts' => 60,
|
||||
rspf => 73,
|
||||
RSPF => 73,
|
||||
CPHB => 73,
|
||||
vmtp => 81,
|
||||
VMTP => 81,
|
||||
eigrp => 88,
|
||||
EIGRP => 88,
|
||||
ospf => 89,
|
||||
OSPFIGP => 89,
|
||||
'ax.25' => 93,
|
||||
'AX.25' => 93,
|
||||
ipip => 94,
|
||||
IPIP => 94,
|
||||
etherip => 97,
|
||||
ETHERIP => 97,
|
||||
encap => 98,
|
||||
ENCAP => 98,
|
||||
pim => 103,
|
||||
PIM => 103,
|
||||
ipcomp => 108,
|
||||
IPCOMP => 108,
|
||||
vrrp => 112,
|
||||
VRRP => 112,
|
||||
l2tp => 115,
|
||||
L2TP => 115,
|
||||
isis => 124,
|
||||
ISIS => 124,
|
||||
sctp => 132,
|
||||
SCTP => 132,
|
||||
fc => 133,
|
||||
FC => 133,
|
||||
);
|
||||
|
||||
our %services = (
|
||||
tcpmux => 1,
|
||||
echo => 7,
|
||||
discard => 9,
|
||||
sink => 9,
|
||||
null => 9,
|
||||
systat => 11,
|
||||
users => 11,
|
||||
daytime => 13,
|
||||
netstat => 15,
|
||||
qotd => 17,
|
||||
quote => 17,
|
||||
msp => 18,
|
||||
chargen => 19,
|
||||
ttytst => 19,
|
||||
source => 19,
|
||||
'ftp-data' => 20,
|
||||
ftp => 21,
|
||||
fsp => 21,
|
||||
fspd => 21,
|
||||
ssh => 22,
|
||||
telnet => 23,
|
||||
smtp => 25,
|
||||
mail => 25,
|
||||
time => 37,
|
||||
timserver => 37,
|
||||
rlp => 39,
|
||||
resource => 39,
|
||||
nameserver => 42,
|
||||
name => 42,
|
||||
whois => 43,
|
||||
nicname => 43,
|
||||
tacacs => 49,
|
||||
're-mail-ck' => 50,
|
||||
domain => 53,
|
||||
mtp => 57,
|
||||
'tacacs-ds' => 65,
|
||||
bootps => 67,
|
||||
bootpc => 68,
|
||||
tftp => 69,
|
||||
gopher => 70,
|
||||
rje => 77,
|
||||
netrjs => 77,
|
||||
finger => 79,
|
||||
www => 80,
|
||||
http => 80,
|
||||
link => 87,
|
||||
ttylink => 87,
|
||||
kerberos => 88,
|
||||
kerberos5 => 88,
|
||||
krb5 => 88,
|
||||
'kerberos-sec' => 88,
|
||||
supdup => 95,
|
||||
hostnames => 101,
|
||||
hostname => 101,
|
||||
'iso-tsap' => 102,
|
||||
tsap => 102,
|
||||
'acr-nema' => 104,
|
||||
dicom => 104,
|
||||
'csnet-ns' => 105,
|
||||
'cso-ns' => 105,
|
||||
rtelnet => 107,
|
||||
pop2 => 109,
|
||||
postoffice => 109,
|
||||
'pop-2' => 109,
|
||||
pop3 => 110,
|
||||
'pop-3' => 110,
|
||||
sunrpc => 111,
|
||||
portmapper => 111,
|
||||
auth => 113,
|
||||
authentication => 113,
|
||||
tap => 113,
|
||||
ident => 113,
|
||||
sftp => 115,
|
||||
'uucp-path' => 117,
|
||||
nntp => 119,
|
||||
readnews => 119,
|
||||
untp => 119,
|
||||
ntp => 123,
|
||||
pwdgen => 129,
|
||||
'loc-srv' => 135,
|
||||
epmap => 135,
|
||||
'netbios-ns' => 137,
|
||||
'netbios-dgm' => 138,
|
||||
'netbios-ssn' => 139,
|
||||
imap2 => 143,
|
||||
imap => 143,
|
||||
snmp => 161,
|
||||
'snmp-trap' => 162,
|
||||
snmptrap => 162,
|
||||
'cmip-man' => 163,
|
||||
'cmip-agent' => 164,
|
||||
mailq => 174,
|
||||
xdmcp => 177,
|
||||
nextstep => 178,
|
||||
NeXTStep => 178,
|
||||
NextStep => 178,
|
||||
bgp => 179,
|
||||
prospero => 191,
|
||||
irc => 194,
|
||||
smux => 199,
|
||||
'at-rtmp' => 201,
|
||||
'at-nbp' => 202,
|
||||
'at-echo' => 204,
|
||||
'at-zis' => 206,
|
||||
qmtp => 209,
|
||||
z3950 => 210,
|
||||
wais => 210,
|
||||
ipx => 213,
|
||||
imap3 => 220,
|
||||
pawserv => 345,
|
||||
zserv => 346,
|
||||
fatserv => 347,
|
||||
rpc2portmap => 369,
|
||||
codaauth2 => 370,
|
||||
clearcase => 371,
|
||||
Clearcase => 371,
|
||||
ulistserv => 372,
|
||||
ldap => 389,
|
||||
imsp => 406,
|
||||
https => 443,
|
||||
snpp => 444,
|
||||
'microsoft-ds' => 445,
|
||||
kpasswd => 464,
|
||||
saft => 487,
|
||||
isakmp => 500,
|
||||
rtsp => 554,
|
||||
nqs => 607,
|
||||
'npmp-local' => 610,
|
||||
dqs313_qmaster => 610,
|
||||
'npmp-gui' => 611,
|
||||
dqs313_execd => 611,
|
||||
'hmmp-ind' => 612,
|
||||
dqs313_intercell => 612,
|
||||
ipp => 631,
|
||||
exec => 512,
|
||||
biff => 512,
|
||||
comsat => 512,
|
||||
login => 513,
|
||||
who => 513,
|
||||
whod => 513,
|
||||
shell => 514,
|
||||
cmd => 514,
|
||||
syslog => 514,
|
||||
printer => 515,
|
||||
spooler => 515,
|
||||
talk => 517,
|
||||
ntalk => 518,
|
||||
route => 520,
|
||||
router => 520,
|
||||
routed => 520,
|
||||
timed => 525,
|
||||
timeserver => 525,
|
||||
tempo => 526,
|
||||
newdate => 526,
|
||||
courier => 530,
|
||||
rpc => 530,
|
||||
conference => 531,
|
||||
chat => 531,
|
||||
netnews => 532,
|
||||
netwall => 533,
|
||||
gdomap => 538,
|
||||
uucp => 540,
|
||||
uucpd => 540,
|
||||
klogin => 543,
|
||||
kshell => 544,
|
||||
krcmd => 544,
|
||||
afpovertcp => 548,
|
||||
remotefs => 556,
|
||||
rfs_server => 556,
|
||||
rfs => 556,
|
||||
nntps => 563,
|
||||
snntp => 563,
|
||||
submission => 587,
|
||||
ldaps => 636,
|
||||
tinc => 655,
|
||||
silc => 706,
|
||||
'kerberos-adm' => 749,
|
||||
webster => 765,
|
||||
rsync => 873,
|
||||
'ftps-data' => 989,
|
||||
ftps => 990,
|
||||
telnets => 992,
|
||||
imaps => 993,
|
||||
ircs => 994,
|
||||
pop3s => 995,
|
||||
socks => 1080,
|
||||
proofd => 1093,
|
||||
rootd => 1094,
|
||||
openvpn => 1194,
|
||||
rmiregistry => 1099,
|
||||
kazaa => 1214,
|
||||
nessus => 1241,
|
||||
lotusnote => 1352,
|
||||
lotusnotes => 1352,
|
||||
'ms-sql-s' => 1433,
|
||||
'ms-sql-m' => 1434,
|
||||
ingreslock => 1524,
|
||||
'prospero-np' => 1525,
|
||||
datametrics => 1645,
|
||||
'old-radius' => 1645,
|
||||
'sa-msg-port' => 1646,
|
||||
'old-radacct' => 1646,
|
||||
kermit => 1649,
|
||||
l2f => 1701,
|
||||
l2tp => 1701,
|
||||
radius => 1812,
|
||||
'radius-acct' => 1813,
|
||||
radacct => 1813,
|
||||
msnp => 1863,
|
||||
'unix-status' => 1957,
|
||||
'log-server' => 1958,
|
||||
remoteping => 1959,
|
||||
nfs => 2049,
|
||||
'rtcm-sc104' => 2101,
|
||||
cvspserver => 2401,
|
||||
venus => 2430,
|
||||
'venus-se' => 2431,
|
||||
codasrv => 2432,
|
||||
'codasrv-se' => 2433,
|
||||
mon => 2583,
|
||||
dict => 2628,
|
||||
gpsd => 2947,
|
||||
gds_db => 3050,
|
||||
icpv2 => 3130,
|
||||
icp => 3130,
|
||||
mysql => 3306,
|
||||
nut => 3493,
|
||||
distcc => 3632,
|
||||
daap => 3689,
|
||||
svn => 3690,
|
||||
subversion => 3690,
|
||||
iax => 4569,
|
||||
'radmin-port' => 4899,
|
||||
rfe => 5002,
|
||||
mmcc => 5050,
|
||||
sip => 5060,
|
||||
'sip-tls' => 5061,
|
||||
aol => 5190,
|
||||
'xmpp-client' => 5222,
|
||||
'jabber-client' => 5222,
|
||||
'xmpp-server' => 5269,
|
||||
'jabber-server' => 5269,
|
||||
cfengine => 5308,
|
||||
postgresql => 5432,
|
||||
postgres => 5432,
|
||||
x11 => 6000,
|
||||
'x11-0' => 6000,
|
||||
'x11-1' => 6001,
|
||||
'x11-2' => 6002,
|
||||
'x11-3' => 6003,
|
||||
'x11-4' => 6004,
|
||||
'x11-5' => 6005,
|
||||
'x11-6' => 6006,
|
||||
'x11-7' => 6007,
|
||||
'gnutella-svc' => 6346,
|
||||
'gnutella-rtr' => 6347,
|
||||
'afs3-fileserver' => 7000,
|
||||
bbs => 7000,
|
||||
'afs3-callback' => 7001,
|
||||
'afs3-prserver' => 7002,
|
||||
'afs3-vlserver' => 7003,
|
||||
'afs3-kaserver' => 7004,
|
||||
'afs3-volser' => 7005,
|
||||
'afs3-errors' => 7006,
|
||||
'afs3-bos' => 7007,
|
||||
'afs3-update' => 7008,
|
||||
'afs3-rmtsys' => 7009,
|
||||
'font-service' => 7100,
|
||||
xfs => 7100,
|
||||
'bacula-dir' => 9101,
|
||||
'bacula-fd' => 9102,
|
||||
'bacula-sd' => 9103,
|
||||
amanda => 10080,
|
||||
hkp => 11371,
|
||||
bprd => 13720,
|
||||
bpdbm => 13721,
|
||||
'bpjava-msvc' => 13722,
|
||||
vnetd => 13724,
|
||||
bpcd => 13782,
|
||||
vopied => 13783,
|
||||
wnn6 => 22273,
|
||||
kerberos4 => 750,
|
||||
'kerberos-iv' => 750,
|
||||
kdc => 750,
|
||||
kerberos_master => 751,
|
||||
passwd_server => 752,
|
||||
krb_prop => 754,
|
||||
krb5_prop => 754,
|
||||
hprop => 754,
|
||||
krbupdate => 760,
|
||||
kreg => 760,
|
||||
swat => 901,
|
||||
kpop => 1109,
|
||||
knetd => 2053,
|
||||
'zephyr-srv' => 2102,
|
||||
'zephyr-clt' => 2103,
|
||||
'zephyr-hm' => 2104,
|
||||
eklogin => 2105,
|
||||
kx => 2111,
|
||||
iprop => 2121,
|
||||
supfilesrv => 871,
|
||||
supfiledbg => 1127,
|
||||
linuxconf => 98,
|
||||
poppassd => 106,
|
||||
ssmtp => 465,
|
||||
smtps => 465,
|
||||
moira_db => 775,
|
||||
moira_update => 777,
|
||||
moira_ureg => 779,
|
||||
spamd => 783,
|
||||
omirr => 808,
|
||||
omirrd => 808,
|
||||
customs => 1001,
|
||||
skkserv => 1178,
|
||||
predict => 1210,
|
||||
rmtcfg => 1236,
|
||||
wipld => 1300,
|
||||
xtel => 1313,
|
||||
xtelw => 1314,
|
||||
support => 1529,
|
||||
sieve => 2000,
|
||||
cfinger => 2003,
|
||||
ndtp => 2010,
|
||||
frox => 2121,
|
||||
ninstall => 2150,
|
||||
zebrasrv => 2600,
|
||||
zebra => 2601,
|
||||
ripd => 2602,
|
||||
ripngd => 2603,
|
||||
ospfd => 2604,
|
||||
bgpd => 2605,
|
||||
ospf6d => 2606,
|
||||
ospfapi => 2607,
|
||||
isisd => 2608,
|
||||
afbackup => 2988,
|
||||
afmbackup => 2989,
|
||||
xtell => 4224,
|
||||
fax => 4557,
|
||||
hylafax => 4559,
|
||||
distmp3 => 4600,
|
||||
munin => 4949,
|
||||
lrrd => 4949,
|
||||
'enbd-cstatd' => 5051,
|
||||
'enbd-sstatd' => 5052,
|
||||
pcrd => 5151,
|
||||
noclog => 5354,
|
||||
hostmon => 5355,
|
||||
rplay => 5555,
|
||||
rptp => 5556,
|
||||
nsca => 5667,
|
||||
mrtd => 5674,
|
||||
bgpsim => 5675,
|
||||
canna => 5680,
|
||||
'sane-port' => 6566,
|
||||
sane => 6566,
|
||||
saned => 6566,
|
||||
ircd => 6667,
|
||||
'zope-ftp' => 8021,
|
||||
webcache => 8080,
|
||||
tproxy => 8081,
|
||||
omniorb => 8088,
|
||||
'clc-build-daemon' => 8990,
|
||||
xinetd => 9098,
|
||||
mandelspawn => 9359,
|
||||
mandelbrot => 9359,
|
||||
zope => 9673,
|
||||
kamanda => 10081,
|
||||
amandaidx => 10082,
|
||||
amidxtape => 10083,
|
||||
smsqp => 11201,
|
||||
xpilot => 15345,
|
||||
'sgi-cmsd' => 17001,
|
||||
'sgi-crsd' => 17002,
|
||||
'sgi-gcd' => 17003,
|
||||
'sgi-cad' => 17004,
|
||||
isdnlog => 20011,
|
||||
vboxd => 20012,
|
||||
binkp => 24554,
|
||||
asp => 27374,
|
||||
csync2 => 30865,
|
||||
dircproxy => 57000,
|
||||
tfido => 60177,
|
||||
fido => 60179,
|
||||
);
|
||||
|
||||
1;
|
@ -30,6 +30,9 @@ use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( ALLIPv4
|
||||
TCP
|
||||
UDP
|
||||
ICMP
|
||||
|
||||
validate_address
|
||||
validate_net
|
||||
@ -40,14 +43,14 @@ our @EXPORT = qw( ALLIPv4
|
||||
rfc1918_neworks
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.5;
|
||||
|
||||
#
|
||||
# Some IPv4 useful stuff
|
||||
#
|
||||
our @allipv4 = ( '0.0.0.0/0' );
|
||||
|
||||
use constant { ALLIPv4 => '0.0.0.0/0' };
|
||||
use constant { ALLIPv4 => '0.0.0.0/0' , ICMP => 1, TCP => 6, UDP => 17 };
|
||||
|
||||
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
|
||||
|
||||
@ -141,8 +144,9 @@ sub ip_range_explicit( $ ) {
|
||||
|
||||
my $first = decodeaddr $low;
|
||||
my $last = decodeaddr $high;
|
||||
my $diff = $last - $first;
|
||||
|
||||
fatal_error "Invalid IP Range ($range)" unless $first <= $last;
|
||||
fatal_error "Invalid IP Range ($range)" unless $diff >= 0 && $diff <= 256;
|
||||
|
||||
while ( ++$first <= $last ) {
|
||||
push @result, encodeaddr( $first );
|
||||
|
@ -36,7 +36,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
|
||||
our @EXPORT_OK = ();
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = 4.0.3;
|
||||
|
||||
our @addresses_to_add;
|
||||
our %addresses_to_add;
|
||||
|
@ -34,7 +34,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = 4.0.5;
|
||||
|
||||
# @policy_chains is a list of references to policy chains in the filter table
|
||||
|
||||
@ -333,6 +333,12 @@ sub validate_policy()
|
||||
print_policy $client, $server, $policy, $chain;
|
||||
}
|
||||
}
|
||||
|
||||
for $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@ -369,7 +375,7 @@ sub default_policy( $$$ ) {
|
||||
my $policy = $policyref->{policy};
|
||||
my $loglevel = $policyref->{loglevel};
|
||||
|
||||
fatal_error "No default policy for $_[1] to zone $_[2]" unless $policyref;
|
||||
fatal_error "Internal error in default_policy()" unless $policyref;
|
||||
|
||||
if ( $chainref eq $policyref ) {
|
||||
policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
|
||||
|
@ -42,7 +42,7 @@ our @EXPORT = qw(
|
||||
setup_forwarding
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = '4.01';
|
||||
our $VERSION = 4.0.1;
|
||||
|
||||
#
|
||||
# ARP Filtering
|
||||
@ -96,6 +96,7 @@ sub setup_route_filtering() {
|
||||
|
||||
save_progress_message "Setting up Route Filtering...";
|
||||
|
||||
|
||||
if ( $config{ROUTE_FILTER} ) {
|
||||
my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
|
||||
|
||||
@ -114,11 +115,15 @@ sub setup_route_filtering() {
|
||||
" error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
|
||||
emit "fi\n";
|
||||
}
|
||||
#
|
||||
# According to Documentation/networking/ip-sysctl.txt, this must be turned on to do any filtering
|
||||
#
|
||||
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
|
||||
|
||||
if ( $config{ROUTE_FILTER} eq 'on' ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
||||
} elsif ( $config{ROUTE_FILTER} eq 'off' ) {
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
|
||||
}
|
||||
|
||||
emit "[ -n \"\$NOROUTES\" ] || ip route flush cache";
|
||||
}
|
||||
}
|
||||
@ -155,6 +160,14 @@ sub setup_martian_logging() {
|
||||
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
if ( $config{LOG_MARTIANS} eq 'on' ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians';
|
||||
} elsif ( $config{LOG_MARTIANS} eq 'off' ) {
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/all/log_martians';
|
||||
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/log_martians';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -35,7 +35,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_providers @routemarked_interfaces);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = 4.0.3;
|
||||
|
||||
use constant { LOCAL_NUMBER => 255,
|
||||
MAIN_NUMBER => 254,
|
||||
|
@ -35,7 +35,7 @@ our @EXPORT = qw(
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.01';
|
||||
our $VERSION = 4.0.1;
|
||||
|
||||
our @proxyarp;
|
||||
|
||||
|
@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
|
||||
dump_rule_chains
|
||||
);
|
||||
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.5;
|
||||
|
||||
#
|
||||
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
|
||||
@ -265,7 +265,7 @@ sub setup_rfc1918_filteration( $ ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
for my $chain ( @{first_chains $interface}) {
|
||||
for my $chain ( first_chains $interface ) {
|
||||
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
|
||||
}
|
||||
}
|
||||
@ -338,7 +338,7 @@ sub setup_blacklist() {
|
||||
my $network = $hostref->[2];
|
||||
my $source = match_source_net $network;
|
||||
|
||||
for my $chain ( @{first_chains $interface}) {
|
||||
for my $chain ( first_chains $interface ) {
|
||||
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
|
||||
}
|
||||
|
||||
@ -502,10 +502,7 @@ sub add_common_rules() {
|
||||
my $chain;
|
||||
|
||||
if ( $config{FASTACCEPT} ) {
|
||||
for $chain qw( INPUT FORWARD OUTPUT ) {
|
||||
$chainref = $filter_table->{$chain};
|
||||
add_rule( $chainref , "-m state --state ESTABLISHED,RELATED -j ACCEPT" );
|
||||
}
|
||||
add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
|
||||
}
|
||||
|
||||
my $rejectref = new_standard_chain 'reject';
|
||||
@ -520,7 +517,7 @@ sub add_common_rules() {
|
||||
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
||||
|
||||
for $interface ( all_interfaces ) {
|
||||
for $chain ( @{first_chains $interface} ) {
|
||||
for $chain ( first_chains $interface ) {
|
||||
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
|
||||
}
|
||||
|
||||
@ -567,7 +564,7 @@ sub add_common_rules() {
|
||||
$interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
for $chain ( @{first_chains $interface}) {
|
||||
for $chain ( first_chains $interface ) {
|
||||
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
|
||||
}
|
||||
}
|
||||
@ -639,18 +636,16 @@ sub add_common_rules() {
|
||||
add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
|
||||
|
||||
for my $hostref ( @$list ) {
|
||||
$interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
for $chain ( @{first_chains $interface}) {
|
||||
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
|
||||
for $chain ( first_chains $hostref->[0] ) {
|
||||
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
for $interface ( all_interfaces ) {
|
||||
for $chain ( @{dynamic_chains $interface} ) {
|
||||
for $chain ( dynamic_chains $interface ) {
|
||||
new_standard_chain $chain;
|
||||
}
|
||||
|
||||
@ -792,7 +787,7 @@ sub setup_mac_lists( $ ) {
|
||||
my $source = match_source_net $hostref->[2];
|
||||
my $target = mac_chain $interface;
|
||||
if ( $table eq 'filter' ) {
|
||||
for my $chain ( @{first_chains $interface}) {
|
||||
for my $chain ( first_chains $interface ) {
|
||||
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||
}
|
||||
} else {
|
||||
@ -866,7 +861,7 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
|
||||
|
||||
$mtarget = merge_levels $target, $mtarget;
|
||||
|
||||
if ( $mtarget =~ /^PARAM:?/ ) {
|
||||
if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
|
||||
fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $param ne '';
|
||||
$mtarget = substitute_param $param, $mtarget;
|
||||
}
|
||||
@ -920,7 +915,8 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Once a rule has been completely resolved by macro expansion and wildcard (source and/or dest zone == 'all'), it is processed by this function.
|
||||
# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
|
||||
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
|
||||
#
|
||||
sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $wildcard ) = @_;
|
||||
@ -998,7 +994,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
if ( $dest eq '-' ) {
|
||||
$dest = firewall_zone;
|
||||
} else {
|
||||
$dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /(.+?)::/;
|
||||
$dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /:/;
|
||||
}
|
||||
} elsif ( $action eq 'REJECT' ) {
|
||||
$action = 'reject';
|
||||
@ -1031,9 +1027,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
$dest = ALLIPv4;
|
||||
}
|
||||
|
||||
fatal_error "Missing source zone" if $sourcezone eq '-';
|
||||
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
|
||||
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
|
||||
fatal_error "Missing destination zone" if $destzone eq '-';
|
||||
fatal_error "Missing destination zone" if $destzone eq '-' || $destzone =~ /^:/;
|
||||
fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
|
||||
|
||||
my $restriction = NO_RESTRICT;
|
||||
@ -1043,6 +1039,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
} else {
|
||||
$restriction = INPUT_RESTRICT if $destzone eq firewall_zone;
|
||||
}
|
||||
|
||||
#
|
||||
# Check for illegal bridge port rule
|
||||
#
|
||||
@ -1052,22 +1049,19 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Take care of chain
|
||||
#
|
||||
my $chain = "${sourcezone}2${destzone}";
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
#
|
||||
# Validate Policy
|
||||
#
|
||||
my $policy = $chainref->{policy};
|
||||
|
||||
fatal_error "No policy defined from zone $sourcezone to zone $destzone" unless $policy;
|
||||
|
||||
if ( $policy eq 'NONE' ) {
|
||||
return 1 if $wildcard;
|
||||
fatal_error "Rules may not override a NONE policy";
|
||||
}
|
||||
|
||||
#
|
||||
# Handle Optimization
|
||||
#
|
||||
@ -1079,6 +1073,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
return 1 if $basictarget eq $policy;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||
#
|
||||
@ -1108,9 +1103,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
#
|
||||
# Isolate server port
|
||||
#
|
||||
if ( $dest =~ /^(.*)(:(\d+))$/ ) {
|
||||
if ( $dest =~ /^(.*)(:(.+))$/ ) {
|
||||
$server = $1;
|
||||
$serverport = $3;
|
||||
$serverport = validate_portrange $proto, $3;
|
||||
} else {
|
||||
$server = $dest;
|
||||
$serverport = '';
|
||||
@ -1120,15 +1115,14 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
# After DNAT, dest port will be the server port. Capture it here because $serverport gets modified below.
|
||||
#
|
||||
my $servport = $serverport ne '' ? $serverport : $ports;
|
||||
|
||||
fatal_error "A server must be specified in the DEST column in $action rules" unless ( $actiontype & REDIRECT ) || $server ne ALLIPv4;
|
||||
#
|
||||
# Generate the target
|
||||
#
|
||||
my $target = '';
|
||||
|
||||
if ( $actiontype & REDIRECT ) {
|
||||
$target = '-j REDIRECT --to-port ' . ( $serverport ne '' ? $serverport : $ports );
|
||||
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
|
||||
$target = '-j REDIRECT --to-port ' . $servport;
|
||||
if ( $origdest eq '' || $origdest eq '-' ) {
|
||||
$origdest = ALLIPv4;
|
||||
} elsif ( $origdest eq 'detect' ) {
|
||||
@ -1141,6 +1135,10 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
|
||||
|
||||
validate_address $server, 0;
|
||||
|
||||
if ( $action eq 'SAME' ) {
|
||||
fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
|
||||
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
|
||||
@ -1188,6 +1186,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
# - the target will be ACCEPT.
|
||||
#
|
||||
unless ( $actiontype & NATONLY ) {
|
||||
$servport =~ tr/-/:/ if $servport ne '-';
|
||||
$rule = join( '', do_proto( $proto, $servport, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
|
||||
$loglevel = '';
|
||||
$dest = $server;
|
||||
@ -1601,7 +1600,7 @@ sub generate_matrix() {
|
||||
if $hostref->{options}{broadcast};
|
||||
}
|
||||
|
||||
next if$hostref->{options}{destonly};
|
||||
next if $hostref->{options}{destonly};
|
||||
|
||||
my $source = match_source_net $net;
|
||||
|
||||
|
@ -39,7 +39,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tc );
|
||||
our @EXPORT_OK = qw( process_tc_rule initialize );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.5;
|
||||
|
||||
our %tcs = ( T => { chain => 'tcpost',
|
||||
connmark => 0,
|
||||
@ -367,12 +367,13 @@ sub validate_tc_class( $$$$$$ ) {
|
||||
my $markval = numeric_value( $mark );
|
||||
fatal_error "Duplicate Mark ($mark)" if $tcref->{$markval};
|
||||
|
||||
$tcref->{$markval} = {};
|
||||
$tcref->{$markval} = { tos => [] ,
|
||||
rate => convert_rate( $full, $rate ) ,
|
||||
ceiling => convert_rate( $full, $ceil ) ,
|
||||
priority => $prio eq '-' ? 1 : $prio
|
||||
};
|
||||
|
||||
$tcref = $tcref->{$markval};
|
||||
$tcref->{tos} = [];
|
||||
$tcref->{rate} = convert_rate $full, $rate;
|
||||
$tcref->{ceiling} = convert_rate $full, $ceil;
|
||||
$tcref->{priority} = $prio eq '-' ? 1 : $prio;
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
for my $option ( split /,/, "\L$options" ) {
|
||||
|
@ -33,7 +33,7 @@ use strict;
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( setup_tunnels );
|
||||
our @EXPORT_OK = ( );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = 4.0.3;
|
||||
|
||||
#
|
||||
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
||||
|
@ -64,7 +64,7 @@ our @EXPORT = qw( NOTHING
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.04';
|
||||
our $VERSION = 4.0.5;
|
||||
|
||||
#
|
||||
# IPSEC Option types
|
||||
@ -968,6 +968,7 @@ sub validate_hosts_file()
|
||||
|
||||
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
|
||||
}
|
||||
|
||||
#
|
||||
# Returns a reference to a array of host entries. Each entry is a
|
||||
# reference to an array containing ( interface , polciy match type {ipsec|none} , network );
|
||||
|
@ -1,165 +0,0 @@
|
||||
#! /usr/bin/perl -w
|
||||
#
|
||||
# Tool for building Shorewall::Ports.
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Usage:
|
||||
#
|
||||
# buildports.pl [ <directory> ] > /usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
#
|
||||
# Where:
|
||||
#
|
||||
# <directory> is the directory where the 'protocols' and 'services' files are
|
||||
# located. If not specified, /etc is assumed.
|
||||
#
|
||||
use strict;
|
||||
use lib '/usr/share/shorewall-perl';
|
||||
use Shorewall::Config qw( open_file
|
||||
push_open
|
||||
pop_open
|
||||
read_a_line1
|
||||
split_line
|
||||
fatal_error
|
||||
%globals
|
||||
ensure_config_path
|
||||
set_shorewall_dir
|
||||
set_config_path );
|
||||
|
||||
our $offset = "\t\t ";
|
||||
|
||||
our %service_hash;
|
||||
|
||||
sub print_it( $$ ) {
|
||||
my ( $name, $number ) = @_;
|
||||
my $tabs;
|
||||
my $length = length $name;
|
||||
|
||||
if ( $name =~ /\W/ || $name =~ /^\d/ ) {
|
||||
my $repeat = int ( ( 27 - $length ) / 8 );
|
||||
$tabs = $repeat > 0 ? "\t" x $repeat : ' ';
|
||||
print "${offset}'${name}'${tabs}=> $number,\n";
|
||||
} else {
|
||||
my $repeat = int ( ( 29 - $length ) / 8 );
|
||||
$tabs = $repeat > 0 ? "\t" x $repeat : ' ';
|
||||
print "${offset}${name}${tabs}=> $number,\n";
|
||||
}
|
||||
}
|
||||
|
||||
sub print_service( $$ ) {
|
||||
my ( $service, $number ) = @_;
|
||||
|
||||
unless ( exists $service_hash{$service} ) {
|
||||
print_it( $service, $number );
|
||||
$service_hash{$service} = $number;
|
||||
}
|
||||
}
|
||||
#
|
||||
# E x e c u t i o n B e g i n s H e r e
|
||||
#
|
||||
set_config_path( '/etc' );
|
||||
|
||||
our $dir = $ARGV[0] || '/etc';
|
||||
|
||||
$dir =~ s|/+$|| unless $dir eq '/';
|
||||
#
|
||||
# Open the files before we do anything else
|
||||
#
|
||||
open_file "$dir/services" or fatal_error "$dir/services is empty";
|
||||
|
||||
push_open "$dir/protocols" or fatal_error "$dir/protocols is empty";
|
||||
|
||||
our $date = localtime;
|
||||
|
||||
print <<"EOF";
|
||||
#
|
||||
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2007 - Tom Eastep (teastep\@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module exports the %protocols and %services hashes built from
|
||||
# /etc/protocols and /etc/services respectively.
|
||||
#
|
||||
# Module generated using buildports.pl $globals{VERSION} - $date
|
||||
#
|
||||
EOF
|
||||
|
||||
print <<'EOF';
|
||||
package Shorewall::Ports;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw( %protocols %services );
|
||||
our @EXPORT_OK = qw();
|
||||
EOF
|
||||
|
||||
print "our \$VERSION = '$globals{VERSION}';\n";
|
||||
|
||||
print <<'EOF';
|
||||
our %protocols = (
|
||||
EOF
|
||||
|
||||
while ( read_a_line1 ) {
|
||||
my ( $proto1, $number, @aliases ) = split_line( 2, 10, '/etc/protocols entry');
|
||||
|
||||
print_it( $proto1, $number );
|
||||
|
||||
for my $alias ( @aliases ) {
|
||||
last if $alias eq '-';
|
||||
print_it( $alias, $number );
|
||||
}
|
||||
}
|
||||
|
||||
pop_open;
|
||||
|
||||
print "\t\t );\n\n";
|
||||
|
||||
print "our %services = (\n";
|
||||
|
||||
while ( read_a_line1 ) {
|
||||
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
|
||||
|
||||
my ( $number, $proto ) = split '/', $proto_number;
|
||||
|
||||
next unless $proto && ($proto eq 'tcp' || $proto eq 'udp');
|
||||
|
||||
print_service( $name1 , $number );
|
||||
|
||||
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
|
||||
print_service ($name1, $number );
|
||||
}
|
||||
}
|
||||
|
||||
print "\t\t );\n\n1;\n";
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@ -31,7 +31,6 @@ usage() # $1 = exit status
|
||||
echo " $ME -v"
|
||||
echo " $ME -h"
|
||||
echo " $ME -n"
|
||||
echo " $ME -n -P"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -111,7 +110,6 @@ if [ -z "$GROUP" ] ; then
|
||||
fi
|
||||
|
||||
NOBACKUP=
|
||||
INSTALL_PORTS_PM=Yes
|
||||
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
@ -125,9 +123,6 @@ while [ $# -gt 0 ] ; do
|
||||
-n)
|
||||
NOBACKUP=Yes
|
||||
;;
|
||||
-P)
|
||||
INSTALL_PORTS_PM=
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
@ -190,20 +185,6 @@ for f in prog.* ; do
|
||||
echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall-perl/$f"
|
||||
done
|
||||
|
||||
#
|
||||
# Install buildports.pl and create Shorewall::Ports
|
||||
#
|
||||
install_file buildports.pl ${PREFIX}/usr/share/shorewall-perl/buildports.pl 0755
|
||||
|
||||
if [ -n "$INSTALL_PORTS_PM" ]; then
|
||||
if ./buildports.pl > ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm; then
|
||||
chmod 0644 ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
else
|
||||
echo "The buildports.pl tool failed -- installing the fallback Protocol/Ports Module"
|
||||
cp -a ${PREFIX}/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $VERSION > ${PREFIX}/usr/share/shorewall-perl/version
|
||||
#
|
||||
# Report Success
|
||||
|
@ -11,9 +11,14 @@ usage() {
|
||||
#
|
||||
# Start trace if first arg is "debug" or "trace"
|
||||
#
|
||||
if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
|
||||
if [ $# -gt 1 ]; then
|
||||
if [ "x$1" = "xtrace" ]; then
|
||||
set -x
|
||||
shift
|
||||
elif [ "x$1" = "xdebug" ]; then
|
||||
DEBUG=Yes
|
||||
shift
|
||||
fi
|
||||
fi
|
||||
|
||||
initialize
|
||||
|
@ -81,13 +81,7 @@ startup_error() # $* = Error Message
|
||||
#
|
||||
run_iptables()
|
||||
{
|
||||
if [ -n "$COMMENT" ]; then
|
||||
$IPTABLES $@ -m comment --comment "$COMMENT"
|
||||
else
|
||||
$IPTABLES $@
|
||||
fi
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
if ! $IPTABLES $@; then
|
||||
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
@ -149,3 +143,87 @@ get_all_bcasts()
|
||||
{
|
||||
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
|
||||
}
|
||||
|
||||
#
|
||||
# Run the .iptables_restore_input as a set of discrete iptables commands
|
||||
#
|
||||
debug_restore_input() {
|
||||
local first second rest table chain
|
||||
#
|
||||
# Clear the ruleset
|
||||
#
|
||||
qt $IPTABLES -t mangle -F
|
||||
qt $IPTABLES -t mangle -X
|
||||
|
||||
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
|
||||
qt $IPTABLES -t mangle -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt $IPTABLES -t raw -F
|
||||
qt $IPTABLES -t raw -X
|
||||
|
||||
for chain in PREROUTING OUTPUT; do
|
||||
qt $IPTABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt $IPTABLES -t nat -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt $IPTABLES -t filter -F
|
||||
qt $IPTABLES -t filter -X
|
||||
|
||||
for chain in INPUT FORWARD OUTPUT; do
|
||||
qt $IPTABLES -t filter -P $chain -P ACCEPT
|
||||
done
|
||||
|
||||
while read first second rest; do
|
||||
case $first in
|
||||
-*)
|
||||
#
|
||||
# We can't call run_iptables() here because the rules may contain quoted strings
|
||||
#
|
||||
eval $IPTABLES -t $table $first $second $rest
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
:*)
|
||||
chain=${first#:}
|
||||
|
||||
if [ "x$second" = x- ]; then
|
||||
$IPTABLES -t $table -N $chain
|
||||
else
|
||||
$IPTABLES -t $table -P $chain $second
|
||||
fi
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
fi
|
||||
;;
|
||||
#
|
||||
# This grotesque hack with the table names works around a bug/feature with ash
|
||||
#
|
||||
'*'raw)
|
||||
table=raw
|
||||
;;
|
||||
'*'mangle)
|
||||
table=mangle
|
||||
;;
|
||||
'*'nat)
|
||||
table=nat
|
||||
;;
|
||||
'*'filter)
|
||||
table=filter
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-perl
|
||||
%define version 4.0.4
|
||||
%define version 4.0.5
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall Perl-based compiler.
|
||||
@ -37,7 +37,7 @@ execution than the legacy shorewall-shell compiler.
|
||||
export PREFIX=$RPM_BUILD_ROOT ; \
|
||||
export OWNER=`id -n -u` ; \
|
||||
export GROUP=`id -n -g` ;\
|
||||
./install.sh -n -P
|
||||
./install.sh -n
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
@ -46,13 +46,6 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%post
|
||||
|
||||
if /usr/share/shorewall-perl/buildports.pl > /usr/share/shorewall-perl/Shorewall/Ports.pm; then
|
||||
chmod 0644 /usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
else
|
||||
echo "The buildports.pl tool failed -- installing the fallback Protocol/Ports Module"
|
||||
cp -a /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm /usr/share/shorewall-perl/Shorewall/Ports.pm
|
||||
fi
|
||||
|
||||
%preun
|
||||
|
||||
%files
|
||||
@ -61,7 +54,6 @@ fi
|
||||
%attr(0755,root,root) %dir /usr/share/shorewall-perl
|
||||
%attr(0755,root,root) %dir /usr/share/shorewall-perl/Shorewall
|
||||
|
||||
%attr(755,root,root) /usr/share/shorewall-perl/buildports.pl
|
||||
%attr(755,root,root) /usr/share/shorewall-perl/compiler.pl
|
||||
%attr(0644,root,root) /usr/share/shorewall-perl/prog.header
|
||||
%attr(0644,root,root) /usr/share/shorewall-perl/prog.functions
|
||||
@ -72,6 +64,8 @@ fi
|
||||
%doc COPYING releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.5-1
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
|
@ -1 +1 @@
|
||||
This is the Shorewall-shell Development 4.0 branch of SVN.
|
||||
This is the Shorewall-shell Stable 4.0 branch of SVN.
|
||||
|
@ -5415,6 +5415,7 @@ f=\$(find_file ipsets)
|
||||
if [ -f \$f ]; then
|
||||
progress_message2 "Restoring IPSETS..."
|
||||
ipset -U :all: :all:
|
||||
ipset -U :all: :default:
|
||||
ipset -F
|
||||
ipset -X
|
||||
ipset -R < \$f
|
||||
@ -5740,9 +5741,9 @@ usage() {
|
||||
# E X E C U T I O N B E G I N S H E R E
|
||||
#
|
||||
#
|
||||
# Start trace if first arg is "debug"
|
||||
# Start trace if first arg is "debug" or "trace"
|
||||
#
|
||||
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
|
||||
[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; }
|
||||
|
||||
NOLOCK=
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.0.4
|
||||
VERSION=4.0.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall-shell
|
||||
%define version 4.0.4
|
||||
%define version 4.0.5
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
@ -81,6 +81,8 @@ fi
|
||||
%doc COPYING INSTALL
|
||||
|
||||
%changelog
|
||||
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.5-1
|
||||
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.0.4-1
|
||||
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
|
||||
|
Loading…
Reference in New Issue
Block a user