holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Bring trunk up to date with 4.0

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-10-19 19:43:14 +00:00
parent e0b9bc5ed2
commit 2246e54d28
43 changed files with 824 additions and 1075 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/README.txt
View File

@ -1 +1 @@
This is the Shorewall-common Development 4.0 branch of SVN.
This is the Shorewall-common Stable 4.0 branch of SVN.

34
Shorewall-common/changelog.txt
View File

@ -1,3 +1,33 @@
Changes in 4.0.5
1) Delete 'detectnets' from Shorewall-perl
2) Use get_config() for processing secondary shorewall.conf
3) Add 'broadcast' and 'destonly' options to hosts file.
4) Allow "$FW::<port>" in the DEST column of a redirect rule"
5) Add MULTICAST option in shorewall.conf.
6) Allow port range for server port in NAT rules.
7) Validate server IP address and port(-range) in NAT rules.
8) Allow server port(s) to be specified as service names.
9) Split large DEST PORT(S) lists.
10) Fix TCP/UDP in rules file.
10) Add new semantics to 'debug' with Shorewall-perl
11) Satisfy the distros.
12) Change module versions to V-strings.
13) Fix ipsets.
Changes in 4.0.4
1) Fix 'refresh' with light-weight shells.
@ -37,6 +67,10 @@ Changes in 4.0.4
18) Fix off-by-one bug in Tc.pm
19) Correct problems found in pre-testing.
20) Fix REDIRECT with Macros.
Changes in 4.0.3
1) Streamline the checking for builtin chains in the accounting file.

2
Shorewall-common/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{

4
Shorewall-common/firewall
View File

@ -477,9 +477,9 @@ usage() {
# E X E C U T I O N B E G I N S H E R E
#
#
# Start trace if first arg is "debug"
# Start trace if first arg is "debug" or "trace"
#
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
[ $# -gt 1 ] && [ "x$1" = xdebug -o "$x$1" = xtrace ] && { set -x ; shift ; }
NOLOCK=

2
Shorewall-common/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{

1
Shorewall-common/lib.cli
View File

@ -306,6 +306,7 @@ save_config() {
echo "__EOF__" >> $f
echo >> $f
echo "ipset -U :all: :all:" >> $f
echo "ipset -U :all: :default:" >> $f
echo "ipset -F" >> $f
echo "ipset -X" >> $f
echo "ipset -R << __EOF__" >> $f

494
Shorewall-common/releasenotes.txt
View File

@ -1,7 +1,4 @@
Shorewall 4.0 Patch release 4
WARNING: Suppport for the 'detectnets' option will be removed from
Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below.
Shorewall 4.0 Patch release 5
----------------------------------------------------------------------------
R E L E A S E 4 . 0 H I G H L I G H T S
@ -29,142 +26,198 @@ Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below.
Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later.
Problems Corrected in Shorewall 4.0.4
Problems corrected in Shorewall 4.0.5.
1) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the 'start' and 'restart' command fail:
1) Previously, Shorewall-perl misprocessed $FW::<port> in the DEST
column of a REDIRECT rule, generating an error. '$FW::<port>' now
produces the same effect as '<port>'.
ERROR: No filter chain found with name blacklst
2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE
PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected
the entry with the error:
New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.
ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules
2) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the generated script would issue this harmless
message during 'shorewall refresh':
The rule was accepted if 'tcp' or 'udp' was used instead.
chainlist_reload: Not found
3) Shorewall-shell now removes any default bindings of ipsets before
attempting to reload them. Previously, default bindings were not
removed with the result that the ipsets could not be destroyed.
3) If /bin/sh was a light-weight shell such as ash or dash, then
'shorewall refresh' failed.
Other changes in Shorewall 4.0.5.
4) During start/restart, the script generated by Shorewall-perl is
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.
1) Two new options have been added to /etc/shorewall/hosts
(Shorewall-perl only).
5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:
broadcast: Permits limited broadcast (destination 255.255.255.255)
to the zone.
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.
Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.
7) When using Shorewall-perl, if an action was invoked with more than
10 different combinations of log-levels/tags, some of those
invocations with have incorrect logging.
8) Previously, when 'shorewall restore' was executed, the
iptables-restore utility was always located using the PATH setting
rather than the IPTABLES setting.
With Shorewall-perl, the IPTABLES setting is now used to locate
this utility during 'restore' as it is during the processing of
other commands.
9) Although the shorewall.conf manpage indicates that the value
'internal' is allowed for TC_ENABLED, that value was previously
rejected ('Internal' was accepted).
10) The meaning of the 'loose' provider option was accidentally reversed
in Shorewall-perl. Rather than causing certain routing rules to be
omitted when specified, it actually caused them to be added (these
rules were omitted when the option was NOT specified).
11) If the 'bridge' option was specified on an interface but there were
no bport zones, then traffic originating on the firewall was not
passed through the accounting chain.
12) In commands such as:
shorewall compile <directory>
shorewall restart <directory>
shorewall check <directory>
if the name of the <directory> contained a period ("."), then
Shorewall-perl would incorrectly substitute the current working
directory for the name.
13) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.
This problem occurred with both compilers.
14) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
rejected in the MARK column of /etc/shorewall/tcclasses.
Other Changes in Shorewall 4.0.4
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
is not a match at all but rather is a feature of recent versions of
iptables that allows a particular match to be used multiple times
within a single rule.
destonly: Normally used with the Multi-cast range. Specifies that
traffic will be sent to the specified net(s) but that
no traffic will be received from the net(s).
Example:
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
wifi eth1:192.168.3.0/24 broadcast
wifi eth1:224.0.0.0/4 destonly
When using Shorewall-shell, the availability of 'Repeat Match' can
speed up compilation very slightly.
In that example, limited broadcasts from the firewall with a source
IP in the 192.168.3.0/24 range will be acccepted as will multicasts
(with any source address).
2) Apparently recent Fedora releases are broken. The
following sequence of commands demonstrates the problem:
2) A MULTICAST option has been added to shorewall.conf. This option
will normally be set to 'No' (the default). It should be set to
'Yes' under the following circumstances:
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
a) You have an interface that has parallel zones defined via
/etc/shorewall/hosts.
b) You want to forward multicast packets to two or more of those
parallel zones.
The third command should fail but doesn't; instead, it incorrectly
removes the rule added by the first command.
In such cases, you will configure a 'destonly' network on each
zone receiving multicasts.
To work around this issue, you can set DELETE_THEN_ADD=No in
shorewall.conf which prevents Shorewall from deleting ip rules
before attempting to add a similar rule.
The MULTICAST option is only recognized by Shorewall-perl and is
ignored by Shorewall-shell.
3) When using Shorewall-perl, the following message is now issued if
the 'detectnets' option is specified in /etc/shorewall/interfaces:
WARNING: Support for the 'detectnets' option will be removed from
Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians
The 'detect' options has always been rather silly. On input, it
duplicates the function of 'routefilter'. On output, it is a no-op
since traffic that doesn't match a route out of an interface won't
be sent through that interface (duh!).
Beginning with Shorewall 4.0.5, the warning message will read:
3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl
no longer supports the 'detectnets' option. Specifying that option
now results in the following message:
WARNING: Support for the 'detectnets' option has been removed
It is suggested that 'detectnets' be replaced by
'routefilter,logmartians'. That will produce the same filtering
effect as 'detectnets' while eliminating 1-2 rules per connection.
One user has asked how to retain the output of 'shorewall show
zones' if the 'detectnets' option is removed. While I don't advise
doing so, you can reproduce the current 'shorewall show' behavior
as follows.
Suppose that you have a zone named 'wifi' that produces the
following output with 'detectnets':
wifi (ipv4)
eth1:192.168.3.0/24
You can reproduce this behavior as follows:
/etc/shorewall/interfaces:
- eth1 detect ...
/etc/shorewall/hosts:
wifi eth1:192.168.3.0/24 broadcast
If you send multicast to the 'wifi' zone, you also need this entry
in your hosts file:
wifi eth1:224.0.0.0/4 destonly
4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule
may now be specified as a service name from
/etc/services. Additionally:
a) A port-range may be specified as the service port expressed in
the format <low port>-<high port>. Connections are assigned to
server ports in round-robin fashion.
b) The compiler only permits a server port to be specified if the
protocol is tcp or udp.
c) The compiler ensures that the server IP address is valid (note
that it is still not permitted to specify the server address as a
DNS name).
5) (Shorewall-perl only) Users are complaining that when they migrate
to Shorewall-perl, they have to restrict their port lists to 15
ports. In this release, we relax that restriction on destination
port lists. Since the SOURCE PORT(s) column in the configuration
files is rarely used, we have no plans to relax the restriction in
that column.
6) There have been several cases where iptables-restore has failed
while executing a COMMIT command in the .iptables_restore_input
file. This gives neither the user nor Shorewall support much to go
on when analyzing the problem. As a new debugging aid, the meaning
of 'trace' and 'debug' have been changed.
Traditionally, /sbin/shorewall and /sbin/shorewall-lite have
allowed either 'trace' or 'debug' as the first run-line
parameter. Prior to 4.0.5, the two words produced the same effect.
Beginning with Shorewall 4.0.5, the two words have different
effects when Shorewall-perl is used.
trace - Like the previous behavior.
In the Shorewall-perl compiler, generate a stack trace
on WARNING and ERROR messages.
In the generated script, sets the shell's -x option to
trace execution of the script.
debug - Ignored by the Shorewall-perl compiler.
In the generated script, causes the commands in
.iptables_restore_input to be executed as discrete iptables
commands. The failing command can thus be identified and a
diagnosis of the cause can be made.
Users of Shorewall-lite will see the following change when using a
script that was compiled with Shorewall-perl 4.0.5 or later.
trace - In the generated script, sets the shell's -x option to
trace execution of the script.
debug - In the generated script, causes the commands in
.iptables_restore_input to be executed as discrete iptables
commands. The failing command can thus be identified and a
diagnosis of the cause can be made.
In all other cases, 'debug' and 'trace' remain synonymous. In
particular, users of Shorewall-shell will see no change in
behavior.
WARNING: The 'debug' feature in Shorewall-perl is strictly for
problem analysis. When 'debug' is used:
a) The firewall is made 'wide open' before the rules are applied.
b) The routestopped file is not consulted and the rules are applied
in the canonical iptables-restore order (ASCIIbetical by chain).
So if you need critical hosts to be always available during
start/restart, you may not be able to use 'debug'.
7) /usr/share/shorewall-perl/buildports.pl,
/usr/share/shorewall-perl/FallbackPorts.pm and
/usr/share/shorewall-perl/Shorewall/Ports.pm have been removed.
Shorewall now resolves protocol and port names as using Perl's
interface to the the standard C library APIs getprotobyname() and
getservbyname().
Note 1:
The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL',
'icmp' and 'ICMP' are still resolved by Shorewall-perl
itself.
Note 2:
Those of you running Shorewall-perl under Cygwin may wish to
install "real" /etc/protocols and /etc/services files
in place of the symbolic links installed by Cygwin.
8) The contents of the Shorewall::*::$VERSION variables are now a
V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is
only of interest for Perl programs that are using the modules and
specifying a minimum version (e.g., "use Shorewall::Config
4.0.5;"). Each module continues to carry a separate version which
indicates the release of Shorewall-perl when the module was last
modified.
Migration Considerations:
1) Beginning with Shorewall 4.0.0, there is no single 'shorewall'
@ -334,15 +387,10 @@ Migration Considerations:
This capability is in current distributions.
b) Now that Netfilter has features to deal reasonably with port lists,
I see no reason to duplicate those features in Shorewall. The
Bourne-shell compiler goes to great pain (in some cases) to
break very long port lists ( > 15 where port ranges in lists
count as two ports) into individual rules. In the new compiler, I'm
avoiding the ugliness required to do that. The new compiler just
generates an error if your list is too long. It will also produce
an error if you insert a port range into a port list and you don't
have extended multiport support.
b) Shorewall-perl does not attempt to break up SOURCE PORT(s) lists
longer than 15 ports (where a port range counts as two
ports). It also doesn't permit port ranges in a port list unless
the kernel and iptables support Extended Multiport Match.
c) The old BRIDGING=Yes support has been replaced by new bridge
support that uses the reduced 'physdev match' capabilities found
@ -439,7 +487,7 @@ Migration Considerations:
- Otherwise, the rule is added to accounting only.
See http://www.shorewall.net/4.0/bridge-Shorewall-perl.html for
See http://www.shorewall.net/bridge-Shorewall-perl.html for
additional information about the new bridge support.
d) The BROADCAST column in the interfaces file is essentially unused;
@ -478,13 +526,20 @@ Migration Considerations:
To add a rule to the chain:
add_rule( $chainref, <the rule> );
add_rule( $chainref, <the rule> [, <expand-dports> ] );
Where
<the rule> is a scalar argument holding the rule text. Do
not include "-A <chain name>"
<expand-dports> is optional. If <expand-dports> is
present and evaluates to True and if <the rule> contains
a --dports list with more than 15 ports listed (each port
range counts as two ports), then add_rule() will break
<the rule> into multiple rules, each having 15 or fewer
ports in its --dports list.
Example:
add_rule( $chainref, '-j ACCEPT' );
@ -525,11 +580,11 @@ Migration Considerations:
my $chainref = $chain_table{'filter'}{'INPUT'};
The continue script is eliminated. That script was designed to
The 'continue' script is eliminated. That script was designed to
allow you to add special rules during [re]start. Shorewall-perl
doesn't need such rules.
See http://www.shorewall.net/4.0/shorewall_extension_scripts.htm
See http://www.shorewall.net/shorewall_extension_scripts.htm
for further information about extension scripts under
Shorewall-perl.
@ -973,30 +1028,7 @@ Migration Considerations:
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
classes generated by /etc/shorewall/tcclasses.
10) During installation, Shorewall generates the Perl module
/usr/share/shorewall-perl/Shorewall/Ports.pm, using your
/etc/protocols and /etc/services as input.
To re-generate the module from those two files:
1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm
file.
2. /usr/share/shorewall-perl/buildports.pl > \
/usr/share/shorewall-perl/Shorewall/Ports.pm
Note: If the buildports.pl program fails to run to a successful
completion during installation, a fallback version of
module will be installed. That fallback module was generated from
the /etc/protocols and /etc/services shipped with Ubuntu Feisty
Fawn.
Even if the buildports.pl program runs successfully, the fallback
module is also installed as
/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you
encounter problems with the generated module, simply copy the
fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm.
11) Tuomo Soini has contributed bi-directional macros for various
10) Tuomo Soini has contributed bi-directional macros for various
tunnel types:
IPsecah
@ -1006,13 +1038,13 @@ Migration Considerations:
IPsecnat
L2TP
12) The -f option is no longer the default when Shorewall is started at
11) The -f option is no longer the default when Shorewall is started at
boot time (usually via /etc/init.d/shorewall). With Shorewall-perl,
"shorewall start" is nearly as fast as "shorewall restore" and
"shorewall start" uses the current configuration which avoids
confusion.
13) The implementation of LITEDIR has always been
12) The implementation of LITEDIR has always been
unsatisfactory. Furthermore, there have been other cases where
people have asked to be able to designate the state directory
(default /var/lib/shorewall[-lite]).
@ -1435,3 +1467,149 @@ Other Changes in 4.0.3
This feature requires Shorewall-perl 4.0.3 as well as
Shorewall-common 4.0.3.
Problems Corrected in Shorewall 4.0.4
1) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the 'start' and 'restart' command failed:
ERROR: No filter chain found with name blacklst
New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.
2) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the generated script would issue this harmless
message during 'shorewall refresh':
chainlist_reload: Not found
3) If /bin/sh was a light-weight shell such as ash or dash, then
'shorewall refresh' failed.
4) During start/restart, the script generated by Shorewall-perl was
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.
5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.
Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.
7) When using Shorewall-perl, if an action was invoked with more than
10 different combinations of log-levels/tags, some of those
invocations would have incorrect logging.
8) Previously, when 'shorewall restore' was executed, the
iptables-restore utility was always located using the PATH setting
rather than the IPTABLES setting.
With Shorewall-perl, the IPTABLES setting is now used to locate
this utility during 'restore' as it is during the processing of
other commands.
9) Although the shorewall.conf manpage indicates that the value
'internal' is allowed for TC_ENABLED, that value was previously
rejected ('Internal' was accepted).
10) The meaning of the 'loose' provider option was accidentally reversed
in Shorewall-perl. Rather than causing certain routing rules to be
omitted when specified, it actually caused them to be added (these
rules were omitted when the option was NOT specified).
11) If the 'bridge' option was specified on an interface but there were
no bport zones, then traffic originating on the firewall was not
passed through the accounting chain.
12) In commands such as:
shorewall compile <directory>
shorewall restart <directory>
shorewall check <directory>
if the name of the <directory> contained a period ("."), then
Shorewall-perl would incorrectly substitute the current working
directory for the name.
13) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.
This problem occurred with both compilers.
14) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
rejected in the MARK column of /etc/shorewall/tcclasses.
16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a
multiple of 256. That restriction was being enforced by
Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
enforces this restriction.
17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
failed with an "Unknown interface" error when using Shorewall-perl.
Other Changes in Shorewall 4.0.4
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
is not a match at all but rather is a feature of recent versions of
iptables that allows a particular match to be used multiple times
within a single rule.
Example:
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
When using Shorewall-shell, the availability of 'Repeat Match' can
speed up compilation very slightly.
2) Apparently recent Fedora releases are broken. The
following sequence of commands demonstrates the problem:
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
The third command should fail but doesn't; instead, it incorrectly
removes the rule added by the first command.
To work around this issue, you can set DELETE_THEN_ADD=No in
shorewall.conf which prevents Shorewall from deleting ip rules
before attempting to add a similar rule.
3) When using Shorewall-perl, the following message is now issued if
the 'detectnets' option is specified in /etc/shorewall/interfaces:
WARNING: Support for the 'detectnets' option will be removed from
Shorewall-perl in version 4.0.5; better to use 'routefilter' and
'logmartians
The 'detect' options has always been rather silly. On input, it
duplicates the function of 'routefilter'. On output, it is a no-op
since traffic that doesn't match a route out of an interface won't
be sent through that interface (duh!).
Beginning with Shorewall 4.0.5, the warning message will read:
WARNING: Support for the 'detectnets' option has been removed

26
Shorewall-common/shorewall
View File

@ -118,6 +118,11 @@
#
# Set the configuration variables from shorewall.conf
#
# $1 = Yes: read the params file
# $2 = Yes: check for STARTUP_ENABLED
# $3 = Yes: Check for LOGFILE
#
#
get_config() {
ensure_config_path
@ -286,23 +291,16 @@ compiler() {
# Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER
#
if [ -n "$SHOREWALL_DIR" ]; then
shell=$SHOREWALL_SHELL
[ -x $pc ] && set -a
run_user_exit params
set +a
haveparams=Yes
config=$(find_file shorewall.conf)
get_config No No No
if [ -f $config ]; then
if [ -r $config ]; then
progress_message "Processing $config..."
. $config
else
startup_error "Cannot read $config (Hint: Are you root?)"
fi
else
startup_error "$config does not exist!"
fi
SHOREWALL_SHELL=$shell
fi
#
# And initiate the appropriate compiler
@ -326,7 +324,7 @@ compiler() {
# Perl compiler only takes the output file as a argument
[ "$1" = debug ] && shift;
[ "$1" = debug -o "$1" = trace ] && shift;
[ "$1" = nolock ] && shift;
shift
@ -334,7 +332,7 @@ compiler() {
[ -n "$EXPORT" ] && options="$options --export "
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "
[ -n "$TIMESTAMP" ] && options="$options --timestamp "
[ -n "$debugging" ] && options="$options --debug "
[ "$debugging" = trace ] && options="$options --debug "
[ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS"
[ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed"
#
@ -1318,7 +1316,7 @@ usage() # $1 = exit status
debugging=
if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
debugging=debug
debugging=$1
shift
fi

4
Shorewall-common/shorewall-common.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-common
%define version 4.0.4
%define version 4.0.5
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -240,6 +240,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net

2
Shorewall-common/shorewall.conf
View File

@ -169,6 +169,8 @@ KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################

2
Shorewall-common/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{

2
Shorewall-lite/README.txt
View File

@ -1 +1 @@
This is the Shorewall-lite Development 4.0 branch of SVN.
This is the Shorewall-lite Stable 4.0 branch of SVN.

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{

2
Shorewall-lite/shorewall-lite
View File

@ -383,7 +383,7 @@ usage() # $1 = exit status
debugging=
if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
debugging=debug
debugging=$1
shift
fi

4
Shorewall-lite/shorewall-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-lite
%define version 4.0.4
%define version 4.0.5
%define release 1
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{

2
Shorewall-perl/README.txt
View File

@ -1,2 +1,2 @@
This is the Shorewall-perl Development 4.0 branch of SVN.
This is the Shorewall-perl Stable 4.0 branch of SVN.

2
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
our $VERSION = '4.03';
our $VERSION = 4.0.3;
#
# Initialize globals -- we take this novel approach to globals initialization to allow

2
Shorewall-perl/Shorewall/Actions.pm
View File

@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
%macros
);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.04';
our $VERSION = 4.0.4;
#
# Used Actions. Each action that is actually used has an entry with value 1.

317
Shorewall-perl/Shorewall/Chains.pm
View File

@ -28,7 +28,6 @@ package Shorewall::Chains;
require Exporter;
use Shorewall::Config;
use Shorewall::Ports;
use Shorewall::Zones;
use Shorewall::IPAddrs;
@ -88,6 +87,7 @@ our @EXPORT = qw( STANDARD
setup_zone_mss
newexclusionchain
clearrule
validate_portrange
do_proto
mac_match
verify_mark
@ -126,7 +126,7 @@ our @EXPORT = qw( STANDARD
%targets
);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.04';
our $VERSION = 4.0.5;
#
# Chain Table
@ -135,7 +135,8 @@ our $VERSION = '4.04';
# table => <table name>
# is_policy => 0|1
# is_optional => 0|1
# referenced => 0|1
# referenced => 0|1 -- If 1, will be written to the iptables-restore-input.
# builtin => 0|1 -- If 1, one of Netfilter's built-in chains.
# log => <logging rule number for use when LOGRULENUMBERS>
# policy => <policy>
# policychain => <name of policy chain> -- self-reference if this is a policy chain
@ -370,17 +371,9 @@ sub mark_referenced( $ ) {
$_[0]->{referenced} = 1;
}
#
# Add a rule to a chain. Arguments are:
#
# Chain reference , Rule
#
sub add_rule($$)
{
sub push_rule( $$ ) {
my ($chainref, $rule) = @_;
$iprangematch = 0;
$rule .= qq( -m comment --comment "$comment") if $comment;
if ( $chainref->{cmdlevel} ) {
@ -392,6 +385,63 @@ sub add_rule($$)
}
}
#
# Add a rule to a chain. Arguments are:
#
# Chain reference , Rule [, Expand-long-dest-port-lists ]
#
sub add_rule($$;$)
{
my ($chainref, $rule, $expandports) = @_;
$iprangematch = 0;
#
# Pre-processing the port lists as was done in Shorewall-shell results in port-list
# processing driving the rest of rule generation.
#
# By post-processing each rule generated by expand_rule(), we avoid all of that
# messiness and replace it with the following localized messiness.
#
# Because source ports are seldom specified and source port lists are rarer still,
# we only worry about the destination ports.
#
if ( $expandports && $rule =~ '^(.* --dports\s+)([^ ]+)(.*)$' ) {
my ($first, $ports, $rest) = ( $1, $2, $3 );
if ( ( $ports =~ tr/:,/:,/ ) > 15 ) {
my @ports = split '([,:])', $ports;
while ( @ports ) {
my $count = 0;
my $newports = '';
while ( @ports && $count < 15 ) {
my ($port, $separator) = ( shift @ports, shift @ports );
$separator ||= '';
if ( ++$count == 15 ) {
if ( $separator eq ':' ) {
unshift @ports, $port, ':';
last;
} else {
$newports .= $port;
}
} else {
$newports .= "${port}${separator}";
}
}
push_rule ( $chainref, join( '', $first, $newports, $rest ) );
}
} else {
push_rule ( $chainref, $rule );
}
} else {
push_rule ( $chainref, $rule );
}
}
#
# Insert a rule into a chain. Arguments are:
#
@ -503,7 +553,7 @@ sub dynamic_chains( $ ) #$1 = interface
{
my $c = chain_base_cond($_[0]);
[ $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ];
( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' );
}
#
@ -537,7 +587,7 @@ sub first_chains( $ ) #$1 = interface
{
my $c = chain_base_cond($_[0]);
[ $c . '_fwd', $c . '_in' ];
( $c . '_fwd', $c . '_in' );
}
#
@ -759,36 +809,57 @@ sub clearrule() {
$iprangematch = 0;
}
sub validate_proto( $ ) {
#
# Resolve the contents of the PROTO column.
#
our %nametoproto = ( all => 0, ALL => 0, icmp => 1, ICMP => 1, tcp => 6, TCP => 6, udp => 17, UDP => 17 );
our @prototoname = ( 'all', 'icmp', '', '', '', '', 'tcp', '', '', '', '', '', '', '', '', '', '', 'udp' );
#
# Returns the protocol number if the passed argument is a valid protocol number or name. Returns undef otherwise
#
sub resolve_proto( $ ) {
my $proto = $_[0];
my $value = $protocols{$proto};
return $value if defined $value;
return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535;
return $proto if $proto eq 'all';
fatal_error "Invalid/Unknown protocol ($proto)";
my $number;
$proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
}
sub validate_portpair( $ ) {
my $portpair = $_[0];
sub proto_name( $ ) {
my $proto = $_[0];
$proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
}
sub validate_port( $$ ) {
my ($proto, $port) = @_;
my $value;
if ( $port =~ /^(\d+)$/ ) {
return $port if $port <= 65535;
} else {
$proto = getprotobyname $proto if $proto =~ /^(\d+)$/;
$value = getservbyname( $port, $proto );
}
fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
$value;
}
sub validate_portpair( $$ ) {
my ($proto, $portpair) = @_;
fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
$portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':';
$portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
my @ports = split/:/, $portpair, 2;
my @ports = split /:/, $portpair, 2;
for my $port ( @ports ) {
my $value = $services{$port};
unless ( defined $value ) {
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
}
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
$port = $value;
}
$_ = validate_port( $proto, $_) for ( @ports );
if ( @ports == 2 ) {
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@ -798,17 +869,38 @@ sub validate_portpair( $ ) {
}
sub validate_port_list( $ ) {
sub validate_portrange( $$ ) {
my ($proto, $portpair) = @_;
if ( $portpair =~ tr/-/-/ > 1 || substr( $portpair, 0, 1 ) eq '-' || substr( $portpair, -1, 1 ) eq '-' ) {
fatal_error "Invalid port range ($portpair)";
}
my @ports = split /-/, $portpair, 2;
$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
if ( @ports == 2 ) {
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
}
join '-', @ports;
}
sub validate_port_list( $$ ) {
my $result = '';
my $list = $_[0];
my ( $proto, $list ) = @_;
my @list = split/,/, $list;
if ( @list > 1 && $list =~ /:/ ) {
require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
}
$proto = proto_name $proto;
for ( @list ) {
my $value = validate_portpair( $_ );
my $value = validate_portpair( $proto , $_ );
$result = $result ? join ',', $result, $value : $value;
}
@ -886,65 +978,93 @@ sub do_proto( $$$ )
$ports = '' if $ports eq '-';
$sports = '' if $sports eq '-';
if ( $proto ) {
if ( $proto =~ /^(((tcp|6)((:syn)?))|(udp|17))$/ ) {
if ( $proto ne '' ) {
if ( $4 ) {
$output = '-p 6 --syn ';
} else {
$proto = $protocols{$proto} if defined $protocols{$proto};
my $synonly = ( $proto =~ s/:syn$//i );
my $protonum = resolve_proto $proto;
if ( defined $protonum ) {
#
# Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent
#
my $pname = proto_name( $proto = $protonum );
#
# $proto now contains the protocol number and $pname contains the canonical name of the protocol
#
unless ( $synonly ) {
$output = "-p $proto ";
}
my $multiport = 0;
if ( $ports ne '' ) {
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables ($ports)" unless $capabilities{MULTIPORT};
fatal_error "Too many entries in port list ($ports)" if port_count( $ports ) > 15;
$ports = validate_port_list $ports;
$output .= "-m multiport --dports $ports ";
$multiport = 1;
} else {
$ports = validate_portpair $ports;
$output .= "--dport $ports ";
}
} else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
fatal_error '":syn" is only allowed with tcp' unless $proto == TCP;
$output = "-p $proto --syn ";
}
if ( $sports ne '' ) {
if ( $multiport ) {
fatal_error "Too many entries in port list ($sports)" if port_count( $sports ) > 15;
$sports = validate_port_list $sports;
$output .= "-m multiport --sports $sports ";
} else {
$sports = validate_portpair $sports;
$output .= "--sport $sports ";
}
}
} elsif ( $proto =~ /^(icmp|1)$/i ) {
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$output .= "-p icmp ";
PROTO:
{
if ( $ports ne '' ) {
$ports = validate_icmp $ports;
$output .= "--icmp-type $ports ";
}
if ( $proto == TCP || $proto == UDP ) {
my $multiport = 0;
if ( $ports ne '' ) {
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
$ports = validate_port_list $pname , $ports;
$output .= "-m multiport --dports $ports ";
$multiport = 1;
} else {
$ports = validate_portpair $pname , $ports;
$output .= "--dport $ports ";
}
} else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
}
if ( $sports ne '' ) {
if ( $multiport ) {
fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15;
$sports = validate_port_list $pname , $sports;
$output .= "-m multiport --sports $sports ";
} else {
$sports = validate_portpair $pname , $sports;
$output .= "--sport $sports ";
}
}
last PROTO; }
if ( $proto == ICMP ) {
if ( $ports ne '' ) {
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
$ports = validate_icmp $ports;
$output .= "--icmp-type $ports ";
}
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
last PROTO; }
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
} # PROTO
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
require_capability( 'IPP2P_MATCH' , 'PROTO = ipp2p' , 's' );
$proto = $2 ? $3 : 'tcp';
$ports = 'ipp2p' unless $ports;
$output .= "-p $proto -m ipp2p --$ports ";
} else {
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto" if $ports ne '' || $sports ne '';
$proto = validate_proto $proto;
$output .= "-p $proto ";
fatal_error '":syn" is only allowed with tcp' if $synonly;
if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
my $p = $2 ? lc $3 : 'tcp';
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
$proto = "-p $nametoproto{$p} ";
$ports = 'ipp2p' unless $ports;
$output .= "${proto}-m ipp2p --$ports ";
} else {
fatal_error "Invalid/Unknown protocol ($proto)"
}
}
} elsif ( $ports ne '' || $sports ne '' ) {
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO"
} else {
#
# No protocol
#
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
}
$output;
@ -1251,6 +1371,8 @@ sub log_rule_limit( $$$$$$$$ ) {
return 1 if $level eq '';
$predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' ';
unless ( $predicates =~ /-m limit / ) {
$limit = $globals{LOGLIMIT} unless $limit && $limit ne '-';
$predicates .= $limit if $limit;
@ -1284,10 +1406,8 @@ sub log_rule_limit( $$$$$$$$ ) {
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
}
$predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' ';
if ( $command eq 'add' ) {
add_rule ( $chainref, $predicates . $prefix );
add_rule ( $chainref, $predicates . $prefix , 1 );
} else {
insert_rule ( $chainref , 1 , $predicates . $prefix );
}
@ -1702,7 +1822,7 @@ sub expand_rule( $$$$$$$$$$ )
#
# We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
#
add_rule $chainref, join( '', $rule, match_source_net( $inet), match_dest_net( $dnet ), $onet, "-j $echain" );
add_rule( $chainref, join( '', $rule, match_source_net( $inet), match_dest_net( $dnet ), $onet, "-j $echain" ), 1 );
}
}
}
@ -1725,7 +1845,7 @@ sub expand_rule( $$$$$$$$$$ )
#
# Generate Final Rule
#
add_rule( $echainref, $exceptionrule . $target ) unless $disposition eq 'LOG';
add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
} else {
#
# No exclusions
@ -1750,9 +1870,10 @@ sub expand_rule( $$$$$$$$$$ )
}
unless ( $disposition eq 'LOG' ) {
add_rule
$chainref,
join( '', $rule, match_source_net ($inet), match_dest_net( $dnet ), $onet, $target );
add_rule(
$chainref,
join( '', $rule, match_source_net ($inet), match_dest_net( $dnet ), $onet, $target ) ,
1 );
}
}
}
@ -1968,9 +2089,11 @@ sub create_netfilter_load() {
#
emit( 'exec 3>&-',
'',
'progress_message2 "Running iptables-restore..."',
'[ -n "$DEBUG" ] && command=debug_restore_input || command=$IPTABLES_RESTORE',
'',
'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
'progress_message2 "Running $command..."',
'',
'cat ${VARDIR}/.iptables-restore-input | $command # Use this nonsensical form to appease SELinux',
'if [ $? != 0 ]; then',
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
"fi\n"

7
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
our @EXPORT_OK = qw( $export );
our $VERSION = '4.04';
our $VERSION = 4.0.4;
our $export;
@ -485,11 +485,12 @@ EOF
# parsing routines that are called directly out of 'compiler()'.
#
# We create two separate functions rather than one so that the
# define_firewall() shell can set global IP configuration variables
# define_firewall() shell function can set global IP configuration variables
# after the old config has been cleared and before we start instantiating
# the new config. That way, the variables reflect the way that the
# distribution's tools have configured IP without any Shorewall
# modifications.
# modifications and the firewall configuration is the same after
# 'restart' as it is after 'start'.
#
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
# than those related to writing to the object file.

16
Shorewall-perl/Shorewall/Config.pm
View File

@ -94,7 +94,7 @@ our @EXPORT = qw(
%capabilities );
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
our $VERSION = '4.04';
our $VERSION = 4.0.5;
#
# describe the current command, it's present progressive, and it's completion.
@ -230,7 +230,7 @@ sub initialize() {
ORIGINAL_POLICY_MATCH => '',
LOGPARMS => '',
TC_SCRIPT => '',
VERSION => '4.0.4',
VERSION => '4.0.5',
CAPVERSION => 40003 ,
);
#
@ -552,8 +552,14 @@ sub copy( $ ) {
open IF , $file or fatal_error "Unable to open $file: $!";
while ( <IF> ) {
s/^/$indent/ if $indent;
print $object $_;
if ( /^\s*$/ ) {
print $object "\n" unless $lastlineblank;
$lastlineblank = 1;
} else {
s/^/$indent/ if $indent;
print $object $_;
$lastlineblank = 0;
}
}
close IF;
@ -1468,7 +1474,7 @@ sub get_configuration( $ ) {
default_yes_no 'EXPAND_POLICIES' , '';
default_yes_no 'KEEP_RT_TABLES' , '';
default_yes_no 'DELETE_THEN_ADD' , 'Yes';
default_yes_no 'MULTICAST ' , '';
default_yes_no 'MULTICAST' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

518
Shorewall-perl/Shorewall/FallbackPorts.pm
View File

@ -1,518 +0,0 @@
#
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Ports.pm
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This module exports the %protocols and %services hashes built from
# /etc/protocols and /etc/services respectively.
#
# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007
#
package Shorewall::Ports;
use strict;
use warnings;
our @ISA = qw(Exporter);
our @EXPORT = qw( %protocols %services );
our @EXPORT_OK = qw();
our $VERSION = '4.00';
our %protocols = (
ip => 0,
IP => 0,
icmp => 1,
ICMP => 1,
igmp => 2,
IGMP => 2,
ggp => 3,
GGP => 3,
ipencap => 4,
'IP-ENCAP' => 4,
st => 5,
ST => 5,
tcp => 6,
TCP => 6,
egp => 8,
EGP => 8,
igp => 9,
IGP => 9,
pup => 12,
PUP => 12,
udp => 17,
UDP => 17,
hmp => 20,
HMP => 20,
'xns-idp' => 22,
'XNS-IDP' => 22,
rdp => 27,
RDP => 27,
'iso-tp4' => 29,
'ISO-TP4' => 29,
xtp => 36,
XTP => 36,
ddp => 37,
DDP => 37,
'idpr-cmtp' => 38,
'IDPR-CMTP' => 38,
ipv6 => 41,
IPv6 => 41,
'ipv6-route' => 43,
'IPv6-Route' => 43,
'ipv6-frag' => 44,
'IPv6-Frag' => 44,
idrp => 45,
IDRP => 45,
rsvp => 46,
RSVP => 46,
gre => 47,
GRE => 47,
esp => 50,
'IPSEC-ESP' => 50,
ah => 51,
'IPSEC-AH' => 51,
skip => 57,
SKIP => 57,
'ipv6-icmp' => 58,
'IPv6-ICMP' => 58,
'ipv6-nonxt' => 59,
'IPv6-NoNxt' => 59,
'ipv6-opts' => 60,
'IPv6-Opts' => 60,
rspf => 73,
RSPF => 73,
CPHB => 73,
vmtp => 81,
VMTP => 81,
eigrp => 88,
EIGRP => 88,
ospf => 89,
OSPFIGP => 89,
'ax.25' => 93,
'AX.25' => 93,
ipip => 94,
IPIP => 94,
etherip => 97,
ETHERIP => 97,
encap => 98,
ENCAP => 98,
pim => 103,
PIM => 103,
ipcomp => 108,
IPCOMP => 108,
vrrp => 112,
VRRP => 112,
l2tp => 115,
L2TP => 115,
isis => 124,
ISIS => 124,
sctp => 132,
SCTP => 132,
fc => 133,
FC => 133,
);
our %services = (
tcpmux => 1,
echo => 7,
discard => 9,
sink => 9,
null => 9,
systat => 11,
users => 11,
daytime => 13,
netstat => 15,
qotd => 17,
quote => 17,
msp => 18,
chargen => 19,
ttytst => 19,
source => 19,
'ftp-data' => 20,
ftp => 21,
fsp => 21,
fspd => 21,
ssh => 22,
telnet => 23,
smtp => 25,
mail => 25,
time => 37,
timserver => 37,
rlp => 39,
resource => 39,
nameserver => 42,
name => 42,
whois => 43,
nicname => 43,
tacacs => 49,
're-mail-ck' => 50,
domain => 53,
mtp => 57,
'tacacs-ds' => 65,
bootps => 67,
bootpc => 68,
tftp => 69,
gopher => 70,
rje => 77,
netrjs => 77,
finger => 79,
www => 80,
http => 80,
link => 87,
ttylink => 87,
kerberos => 88,
kerberos5 => 88,
krb5 => 88,
'kerberos-sec' => 88,
supdup => 95,
hostnames => 101,
hostname => 101,
'iso-tsap' => 102,
tsap => 102,
'acr-nema' => 104,
dicom => 104,
'csnet-ns' => 105,
'cso-ns' => 105,
rtelnet => 107,
pop2 => 109,
postoffice => 109,
'pop-2' => 109,
pop3 => 110,
'pop-3' => 110,
sunrpc => 111,
portmapper => 111,
auth => 113,
authentication => 113,
tap => 113,
ident => 113,
sftp => 115,
'uucp-path' => 117,
nntp => 119,
readnews => 119,
untp => 119,
ntp => 123,
pwdgen => 129,
'loc-srv' => 135,
epmap => 135,
'netbios-ns' => 137,
'netbios-dgm' => 138,
'netbios-ssn' => 139,
imap2 => 143,
imap => 143,
snmp => 161,
'snmp-trap' => 162,
snmptrap => 162,
'cmip-man' => 163,
'cmip-agent' => 164,
mailq => 174,
xdmcp => 177,
nextstep => 178,
NeXTStep => 178,
NextStep => 178,
bgp => 179,
prospero => 191,
irc => 194,
smux => 199,
'at-rtmp' => 201,
'at-nbp' => 202,
'at-echo' => 204,
'at-zis' => 206,
qmtp => 209,
z3950 => 210,
wais => 210,
ipx => 213,
imap3 => 220,
pawserv => 345,
zserv => 346,
fatserv => 347,
rpc2portmap => 369,
codaauth2 => 370,
clearcase => 371,
Clearcase => 371,
ulistserv => 372,
ldap => 389,
imsp => 406,
https => 443,
snpp => 444,
'microsoft-ds' => 445,
kpasswd => 464,
saft => 487,
isakmp => 500,
rtsp => 554,
nqs => 607,
'npmp-local' => 610,
dqs313_qmaster => 610,
'npmp-gui' => 611,
dqs313_execd => 611,
'hmmp-ind' => 612,
dqs313_intercell => 612,
ipp => 631,
exec => 512,
biff => 512,
comsat => 512,
login => 513,
who => 513,
whod => 513,
shell => 514,
cmd => 514,
syslog => 514,
printer => 515,
spooler => 515,
talk => 517,
ntalk => 518,
route => 520,
router => 520,
routed => 520,
timed => 525,
timeserver => 525,
tempo => 526,
newdate => 526,
courier => 530,
rpc => 530,
conference => 531,
chat => 531,
netnews => 532,
netwall => 533,
gdomap => 538,
uucp => 540,
uucpd => 540,
klogin => 543,
kshell => 544,
krcmd => 544,
afpovertcp => 548,
remotefs => 556,
rfs_server => 556,
rfs => 556,
nntps => 563,
snntp => 563,
submission => 587,
ldaps => 636,
tinc => 655,
silc => 706,
'kerberos-adm' => 749,
webster => 765,
rsync => 873,
'ftps-data' => 989,
ftps => 990,
telnets => 992,
imaps => 993,
ircs => 994,
pop3s => 995,
socks => 1080,
proofd => 1093,
rootd => 1094,
openvpn => 1194,
rmiregistry => 1099,
kazaa => 1214,
nessus => 1241,
lotusnote => 1352,
lotusnotes => 1352,
'ms-sql-s' => 1433,
'ms-sql-m' => 1434,
ingreslock => 1524,
'prospero-np' => 1525,
datametrics => 1645,
'old-radius' => 1645,
'sa-msg-port' => 1646,
'old-radacct' => 1646,
kermit => 1649,
l2f => 1701,
l2tp => 1701,
radius => 1812,
'radius-acct' => 1813,
radacct => 1813,
msnp => 1863,
'unix-status' => 1957,
'log-server' => 1958,
remoteping => 1959,
nfs => 2049,
'rtcm-sc104' => 2101,
cvspserver => 2401,
venus => 2430,
'venus-se' => 2431,
codasrv => 2432,
'codasrv-se' => 2433,
mon => 2583,
dict => 2628,
gpsd => 2947,
gds_db => 3050,
icpv2 => 3130,
icp => 3130,
mysql => 3306,
nut => 3493,
distcc => 3632,
daap => 3689,
svn => 3690,
subversion => 3690,
iax => 4569,
'radmin-port' => 4899,
rfe => 5002,
mmcc => 5050,
sip => 5060,
'sip-tls' => 5061,
aol => 5190,
'xmpp-client' => 5222,
'jabber-client' => 5222,
'xmpp-server' => 5269,
'jabber-server' => 5269,
cfengine => 5308,
postgresql => 5432,
postgres => 5432,
x11 => 6000,
'x11-0' => 6000,
'x11-1' => 6001,
'x11-2' => 6002,
'x11-3' => 6003,
'x11-4' => 6004,
'x11-5' => 6005,
'x11-6' => 6006,
'x11-7' => 6007,
'gnutella-svc' => 6346,
'gnutella-rtr' => 6347,
'afs3-fileserver' => 7000,
bbs => 7000,
'afs3-callback' => 7001,
'afs3-prserver' => 7002,
'afs3-vlserver' => 7003,
'afs3-kaserver' => 7004,
'afs3-volser' => 7005,
'afs3-errors' => 7006,
'afs3-bos' => 7007,
'afs3-update' => 7008,
'afs3-rmtsys' => 7009,
'font-service' => 7100,
xfs => 7100,
'bacula-dir' => 9101,
'bacula-fd' => 9102,
'bacula-sd' => 9103,
amanda => 10080,
hkp => 11371,
bprd => 13720,
bpdbm => 13721,
'bpjava-msvc' => 13722,
vnetd => 13724,
bpcd => 13782,
vopied => 13783,
wnn6 => 22273,
kerberos4 => 750,
'kerberos-iv' => 750,
kdc => 750,
kerberos_master => 751,
passwd_server => 752,
krb_prop => 754,
krb5_prop => 754,
hprop => 754,
krbupdate => 760,
kreg => 760,
swat => 901,
kpop => 1109,
knetd => 2053,
'zephyr-srv' => 2102,
'zephyr-clt' => 2103,
'zephyr-hm' => 2104,
eklogin => 2105,
kx => 2111,
iprop => 2121,
supfilesrv => 871,
supfiledbg => 1127,
linuxconf => 98,
poppassd => 106,
ssmtp => 465,
smtps => 465,
moira_db => 775,
moira_update => 777,
moira_ureg => 779,
spamd => 783,
omirr => 808,
omirrd => 808,
customs => 1001,
skkserv => 1178,
predict => 1210,
rmtcfg => 1236,
wipld => 1300,
xtel => 1313,
xtelw => 1314,
support => 1529,
sieve => 2000,
cfinger => 2003,
ndtp => 2010,
frox => 2121,
ninstall => 2150,
zebrasrv => 2600,
zebra => 2601,
ripd => 2602,
ripngd => 2603,
ospfd => 2604,
bgpd => 2605,
ospf6d => 2606,
ospfapi => 2607,
isisd => 2608,
afbackup => 2988,
afmbackup => 2989,
xtell => 4224,
fax => 4557,
hylafax => 4559,
distmp3 => 4600,
munin => 4949,
lrrd => 4949,
'enbd-cstatd' => 5051,
'enbd-sstatd' => 5052,
pcrd => 5151,
noclog => 5354,
hostmon => 5355,
rplay => 5555,
rptp => 5556,
nsca => 5667,
mrtd => 5674,
bgpsim => 5675,
canna => 5680,
'sane-port' => 6566,
sane => 6566,
saned => 6566,
ircd => 6667,
'zope-ftp' => 8021,
webcache => 8080,
tproxy => 8081,
omniorb => 8088,
'clc-build-daemon' => 8990,
xinetd => 9098,
mandelspawn => 9359,
mandelbrot => 9359,
zope => 9673,
kamanda => 10081,
amandaidx => 10082,
amidxtape => 10083,
smsqp => 11201,
xpilot => 15345,
'sgi-cmsd' => 17001,
'sgi-crsd' => 17002,
'sgi-gcd' => 17003,
'sgi-cad' => 17004,
isdnlog => 20011,
vboxd => 20012,
binkp => 24554,
asp => 27374,
csync2 => 30865,
dircproxy => 57000,
tfido => 60177,
fido => 60179,
);
1;

10
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -30,6 +30,9 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( ALLIPv4
TCP
UDP
ICMP
validate_address
validate_net
@ -40,14 +43,14 @@ our @EXPORT = qw( ALLIPv4
rfc1918_neworks
);
our @EXPORT_OK = qw( );
our $VERSION = '4.04';
our $VERSION = 4.0.5;
#
# Some IPv4 useful stuff
#
our @allipv4 = ( '0.0.0.0/0' );
use constant { ALLIPv4 => '0.0.0.0/0' };
use constant { ALLIPv4 => '0.0.0.0/0' , ICMP => 1, TCP => 6, UDP => 17 };
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
@ -141,8 +144,9 @@ sub ip_range_explicit( $ ) {
my $first = decodeaddr $low;
my $last = decodeaddr $high;
my $diff = $last - $first;
fatal_error "Invalid IP Range ($range)" unless $first <= $last;
fatal_error "Invalid IP Range ($range)" unless $diff >= 0 && $diff <= 256;
while ( ++$first <= $last ) {
push @result, encodeaddr( $first );

2
Shorewall-perl/Shorewall/Nat.pm
View File

@ -36,7 +36,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
our @EXPORT_OK = ();
our $VERSION = '4.03';
our $VERSION = 4.0.3;
our @addresses_to_add;
our %addresses_to_add;

10
Shorewall-perl/Shorewall/Policy.pm
View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( );
our $VERSION = '4.03';
our $VERSION = 4.0.5;
# @policy_chains is a list of references to policy chains in the filter table
@ -333,6 +333,12 @@ sub validate_policy()
print_policy $client, $server, $policy, $chain;
}
}
for $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
}
}
}
#
@ -369,7 +375,7 @@ sub default_policy( $$$ ) {
my $policy = $policyref->{policy};
my $loglevel = $policyref->{loglevel};
fatal_error "No default policy for $_[1] to zone $_[2]" unless $policyref;
fatal_error "Internal error in default_policy()" unless $policyref;
if ( $chainref eq $policyref ) {
policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};

21
Shorewall-perl/Shorewall/Proc.pm
View File

@ -42,7 +42,7 @@ our @EXPORT = qw(
setup_forwarding
);
our @EXPORT_OK = qw( );
our $VERSION = '4.01';
our $VERSION = 4.0.1;
#
# ARP Filtering
@ -96,6 +96,7 @@ sub setup_route_filtering() {
save_progress_message "Setting up Route Filtering...";
if ( $config{ROUTE_FILTER} ) {
my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
@ -114,11 +115,15 @@ sub setup_route_filtering() {
" error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
emit "fi\n";
}
#
# According to Documentation/networking/ip-sysctl.txt, this must be turned on to do any filtering
#
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
if ( $config{ROUTE_FILTER} eq 'on' ) {
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
} elsif ( $config{ROUTE_FILTER} eq 'off' ) {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
}
emit "[ -n \"\$NOROUTES\" ] || ip route flush cache";
}
}
@ -155,6 +160,14 @@ sub setup_martian_logging() {
" error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
emit "fi\n";
}
if ( $config{LOG_MARTIANS} eq 'on' ) {
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians';
} elsif ( $config{LOG_MARTIANS} eq 'off' ) {
emit 'echo 0 > /proc/sys/net/ipv4/conf/all/log_martians';
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/log_martians';
}
}
}

2
Shorewall-perl/Shorewall/Providers.pm
View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.03';
our $VERSION = 4.0.3;
use constant { LOCAL_NUMBER => 255,
MAIN_NUMBER => 254,

2
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -35,7 +35,7 @@ our @EXPORT = qw(
);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.01';
our $VERSION = 4.0.1;
our @proxyarp;

63
Shorewall-perl/Shorewall/Rules.pm
View File

@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
dump_rule_chains
);
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = '4.04';
our $VERSION = 4.0.5;
#
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@ -265,7 +265,7 @@ sub setup_rfc1918_filteration( $ ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for my $chain ( @{first_chains $interface}) {
for my $chain ( first_chains $interface ) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
}
}
@ -338,7 +338,7 @@ sub setup_blacklist() {
my $network = $hostref->[2];
my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) {
for my $chain ( first_chains $interface ) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
}
@ -502,10 +502,7 @@ sub add_common_rules() {
my $chain;
if ( $config{FASTACCEPT} ) {
for $chain qw( INPUT FORWARD OUTPUT ) {
$chainref = $filter_table->{$chain};
add_rule( $chainref , "-m state --state ESTABLISHED,RELATED -j ACCEPT" );
}
add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
}
my $rejectref = new_standard_chain 'reject';
@ -520,7 +517,7 @@ sub add_common_rules() {
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for $interface ( all_interfaces ) {
for $chain ( @{first_chains $interface} ) {
for $chain ( first_chains $interface ) {
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
}
@ -567,7 +564,7 @@ sub add_common_rules() {
$interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) {
for $chain ( first_chains $interface ) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
}
}
@ -639,18 +636,16 @@ sub add_common_rules() {
add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
for my $hostref ( @$list ) {
$interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
for $chain ( first_chains $hostref->[0] ) {
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" );
}
}
}
if ( $config{DYNAMIC_ZONES} ) {
for $interface ( all_interfaces ) {
for $chain ( @{dynamic_chains $interface} ) {
for $chain ( dynamic_chains $interface ) {
new_standard_chain $chain;
}
@ -792,7 +787,7 @@ sub setup_mac_lists( $ ) {
my $source = match_source_net $hostref->[2];
my $target = mac_chain $interface;
if ( $table eq 'filter' ) {
for my $chain ( @{first_chains $interface}) {
for my $chain ( first_chains $interface ) {
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
}
} else {
@ -866,7 +861,7 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
$mtarget = merge_levels $target, $mtarget;
if ( $mtarget =~ /^PARAM:?/ ) {
if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $param ne '';
$mtarget = substitute_param $param, $mtarget;
}
@ -920,7 +915,8 @@ sub process_macro ( $$$$$$$$$$$$$ ) {
}
#
# Once a rule has been completely resolved by macro expansion and wildcard (source and/or dest zone == 'all'), it is processed by this function.
# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
#
sub process_rule1 ( $$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $wildcard ) = @_;
@ -998,7 +994,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
if ( $dest eq '-' ) {
$dest = firewall_zone;
} else {
$dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /(.+?)::/;
$dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /:/;
}
} elsif ( $action eq 'REJECT' ) {
$action = 'reject';
@ -1031,9 +1027,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$dest = ALLIPv4;
}
fatal_error "Missing source zone" if $sourcezone eq '-';
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error "Missing destination zone" if $destzone eq '-';
fatal_error "Missing destination zone" if $destzone eq '-' || $destzone =~ /^:/;
fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
my $restriction = NO_RESTRICT;
@ -1043,6 +1039,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
} else {
$restriction = INPUT_RESTRICT if $destzone eq firewall_zone;
}
#
# Check for illegal bridge port rule
#
@ -1052,22 +1049,19 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
}
}
#
# Take care of chain
#
my $chain = "${sourcezone}2${destzone}";
my $chainref = ensure_chain 'filter', $chain;
#
# Validate Policy
#
my $policy = $chainref->{policy};
fatal_error "No policy defined from zone $sourcezone to zone $destzone" unless $policy;
if ( $policy eq 'NONE' ) {
return 1 if $wildcard;
fatal_error "Rules may not override a NONE policy";
}
#
# Handle Optimization
#
@ -1079,6 +1073,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
return 1 if $basictarget eq $policy;
}
}
#
# Mark the chain as referenced and add appropriate rules from earlier sections.
#
@ -1108,9 +1103,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
# Isolate server port
#
if ( $dest =~ /^(.*)(:(\d+))$/ ) {
if ( $dest =~ /^(.*)(:(.+))$/ ) {
$server = $1;
$serverport = $3;
$serverport = validate_portrange $proto, $3;
} else {
$server = $dest;
$serverport = '';
@ -1120,15 +1115,14 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# After DNAT, dest port will be the server port. Capture it here because $serverport gets modified below.
#
my $servport = $serverport ne '' ? $serverport : $ports;
fatal_error "A server must be specified in the DEST column in $action rules" unless ( $actiontype & REDIRECT ) || $server ne ALLIPv4;
#
# Generate the target
#
my $target = '';
if ( $actiontype & REDIRECT ) {
$target = '-j REDIRECT --to-port ' . ( $serverport ne '' ? $serverport : $ports );
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
$target = '-j REDIRECT --to-port ' . $servport;
if ( $origdest eq '' || $origdest eq '-' ) {
$origdest = ALLIPv4;
} elsif ( $origdest eq 'detect' ) {
@ -1141,6 +1135,10 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
}
}
} else {
fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
validate_address $server, 0;
if ( $action eq 'SAME' ) {
fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
@ -1188,6 +1186,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# - the target will be ACCEPT.
#
unless ( $actiontype & NATONLY ) {
$servport =~ tr/-/:/ if $servport ne '-';
$rule = join( '', do_proto( $proto, $servport, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
$loglevel = '';
$dest = $server;
@ -1601,7 +1600,7 @@ sub generate_matrix() {
if $hostref->{options}{broadcast};
}
next if$hostref->{options}{destonly};
next if $hostref->{options}{destonly};
my $source = match_source_net $net;

15
Shorewall-perl/Shorewall/Tc.pm
View File

@ -39,7 +39,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = '4.04';
our $VERSION = 4.0.5;
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
@ -367,12 +367,13 @@ sub validate_tc_class( $$$$$$ ) {
my $markval = numeric_value( $mark );
fatal_error "Duplicate Mark ($mark)" if $tcref->{$markval};
$tcref->{$markval} = {};
$tcref = $tcref->{$markval};
$tcref->{tos} = [];
$tcref->{rate} = convert_rate $full, $rate;
$tcref->{ceiling} = convert_rate $full, $ceil;
$tcref->{priority} = $prio eq '-' ? 1 : $prio;
$tcref->{$markval} = { tos => [] ,
rate => convert_rate( $full, $rate ) ,
ceiling => convert_rate( $full, $ceil ) ,
priority => $prio eq '-' ? 1 : $prio
};
$tcref = $tcref->{$markval};
unless ( $options eq '-' ) {
for my $option ( split /,/, "\L$options" ) {

2
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -33,7 +33,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tunnels );
our @EXPORT_OK = ( );
our $VERSION = '4.03';
our $VERSION = 4.0.3;
#
# Here starts the tunnel stuff -- we really should get rid of this crap...

3
Shorewall-perl/Shorewall/Zones.pm
View File

@ -64,7 +64,7 @@ our @EXPORT = qw( NOTHING
);
our @EXPORT_OK = qw( initialize );
our $VERSION = '4.04';
our $VERSION = 4.0.5;
#
# IPSEC Option types
@ -968,6 +968,7 @@ sub validate_hosts_file()
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
}
#
# Returns a reference to a array of host entries. Each entry is a
# reference to an array containing ( interface , polciy match type {ipsec|none} , network );

165
Shorewall-perl/buildports.pl
View File

@ -1,165 +0,0 @@
#! /usr/bin/perl -w
#
# Tool for building Shorewall::Ports.
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Usage:
#
# buildports.pl [ <directory> ] > /usr/share/shorewall-perl/Shorewall/Ports.pm
#
# Where:
#
# <directory> is the directory where the 'protocols' and 'services' files are
# located. If not specified, /etc is assumed.
#
use strict;
use lib '/usr/share/shorewall-perl';
use Shorewall::Config qw( open_file
push_open
pop_open
read_a_line1
split_line
fatal_error
%globals
ensure_config_path
set_shorewall_dir
set_config_path );
our $offset = "\t\t ";
our %service_hash;
sub print_it( $$ ) {
my ( $name, $number ) = @_;
my $tabs;
my $length = length $name;
if ( $name =~ /\W/ || $name =~ /^\d/ ) {
my $repeat = int ( ( 27 - $length ) / 8 );
$tabs = $repeat > 0 ? "\t" x $repeat : ' ';
print "${offset}'${name}'${tabs}=> $number,\n";
} else {
my $repeat = int ( ( 29 - $length ) / 8 );
$tabs = $repeat > 0 ? "\t" x $repeat : ' ';
print "${offset}${name}${tabs}=> $number,\n";
}
}
sub print_service( $$ ) {
my ( $service, $number ) = @_;
unless ( exists $service_hash{$service} ) {
print_it( $service, $number );
$service_hash{$service} = $number;
}
}
#
# E x e c u t i o n B e g i n s H e r e
#
set_config_path( '/etc' );
our $dir = $ARGV[0] || '/etc';
$dir =~ s|/+$|| unless $dir eq '/';
#
# Open the files before we do anything else
#
open_file "$dir/services" or fatal_error "$dir/services is empty";
push_open "$dir/protocols" or fatal_error "$dir/protocols is empty";
our $date = localtime;
print <<"EOF";
#
# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Ports.pm
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2007 - Tom Eastep (teastep\@shorewall.net)
#
# Complete documentation is available at http://shorewall.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This module exports the %protocols and %services hashes built from
# /etc/protocols and /etc/services respectively.
#
# Module generated using buildports.pl $globals{VERSION} - $date
#
EOF
print <<'EOF';
package Shorewall::Ports;
use strict;
use warnings;
our @ISA = qw(Exporter);
our @EXPORT = qw( %protocols %services );
our @EXPORT_OK = qw();
EOF
print "our \$VERSION = '$globals{VERSION}';\n";
print <<'EOF';
our %protocols = (
EOF
while ( read_a_line1 ) {
my ( $proto1, $number, @aliases ) = split_line( 2, 10, '/etc/protocols entry');
print_it( $proto1, $number );
for my $alias ( @aliases ) {
last if $alias eq '-';
print_it( $alias, $number );
}
}
pop_open;
print "\t\t );\n\n";
print "our %services = (\n";
while ( read_a_line1 ) {
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
my ( $number, $proto ) = split '/', $proto_number;
next unless $proto && ($proto eq 'tcp' || $proto eq 'udp');
print_service( $name1 , $number );
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
print_service ($name1, $number );
}
}
print "\t\t );\n\n1;\n";

21
Shorewall-perl/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{
@ -31,7 +31,6 @@ usage() # $1 = exit status
echo " $ME -v"
echo " $ME -h"
echo " $ME -n"
echo " $ME -n -P"
exit $1
}
@ -111,7 +110,6 @@ if [ -z "$GROUP" ] ; then
fi
NOBACKUP=
INSTALL_PORTS_PM=Yes
while [ $# -gt 0 ] ; do
case "$1" in
@ -125,9 +123,6 @@ while [ $# -gt 0 ] ; do
-n)
NOBACKUP=Yes
;;
-P)
INSTALL_PORTS_PM=
;;
*)
usage 1
;;
@ -190,20 +185,6 @@ for f in prog.* ; do
echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall-perl/$f"
done
#
# Install buildports.pl and create Shorewall::Ports
#
install_file buildports.pl ${PREFIX}/usr/share/shorewall-perl/buildports.pl 0755
if [ -n "$INSTALL_PORTS_PM" ]; then
if ./buildports.pl > ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm; then
chmod 0644 ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm
else
echo "The buildports.pl tool failed -- installing the fallback Protocol/Ports Module"
cp -a ${PREFIX}/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm
fi
fi
echo $VERSION > ${PREFIX}/usr/share/shorewall-perl/version
#
# Report Success

11
Shorewall-perl/prog.footer
View File

@ -11,9 +11,14 @@ usage() {
#
# Start trace if first arg is "debug" or "trace"
#
if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
set -x
shift
if [ $# -gt 1 ]; then
if [ "x$1" = "xtrace" ]; then
set -x
shift
elif [ "x$1" = "xdebug" ]; then
DEBUG=Yes
shift
fi
fi
initialize

92
Shorewall-perl/prog.functions
View File

@ -81,13 +81,7 @@ startup_error() # $* = Error Message
#
run_iptables()
{
if [ -n "$COMMENT" ]; then
$IPTABLES $@ -m comment --comment "$COMMENT"
else
$IPTABLES $@
fi
if [ $? -ne 0 ]; then
if ! $IPTABLES $@; then
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
stop_firewall
exit 2
@ -149,3 +143,87 @@ get_all_bcasts()
{
ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
}
#
# Run the .iptables_restore_input as a set of discrete iptables commands
#
debug_restore_input() {
local first second rest table chain
#
# Clear the ruleset
#
qt $IPTABLES -t mangle -F
qt $IPTABLES -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do
qt $IPTABLES -t mangle -P $chain ACCEPT
done
qt $IPTABLES -t raw -F
qt $IPTABLES -t raw -X
for chain in PREROUTING OUTPUT; do
qt $IPTABLES -t raw -P $chain ACCEPT
done
run_iptables -t nat -F
run_iptables -t nat -X
for chain in PREROUTING POSTROUTING OUTPUT; do
qt $IPTABLES -t nat -P $chain ACCEPT
done
qt $IPTABLES -t filter -F
qt $IPTABLES -t filter -X
for chain in INPUT FORWARD OUTPUT; do
qt $IPTABLES -t filter -P $chain -P ACCEPT
done
while read first second rest; do
case $first in
-*)
#
# We can't call run_iptables() here because the rules may contain quoted strings
#
eval $IPTABLES -t $table $first $second $rest
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
:*)
chain=${first#:}
if [ "x$second" = x- ]; then
$IPTABLES -t $table -N $chain
else
$IPTABLES -t $table -P $chain $second
fi
if [ $? -ne 0 ]; then
error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
stop_firewall
exit 2
fi
;;
#
# This grotesque hack with the table names works around a bug/feature with ash
#
'*'raw)
table=raw
;;
'*'mangle)
table=mangle
;;
'*'nat)
table=nat
;;
'*'filter)
table=filter
;;
esac
done
}

14
Shorewall-perl/shorewall-perl.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-perl
%define version 4.0.4
%define version 4.0.5
%define release 1
Summary: Shoreline Firewall Perl-based compiler.
@ -37,7 +37,7 @@ execution than the legacy shorewall-shell compiler.
export PREFIX=$RPM_BUILD_ROOT ; \
export OWNER=`id -n -u` ; \
export GROUP=`id -n -g` ;\
./install.sh -n -P
./install.sh -n
%clean
rm -rf $RPM_BUILD_ROOT
@ -46,13 +46,6 @@ rm -rf $RPM_BUILD_ROOT
%post
if /usr/share/shorewall-perl/buildports.pl > /usr/share/shorewall-perl/Shorewall/Ports.pm; then
chmod 0644 /usr/share/shorewall-perl/Shorewall/Ports.pm
else
echo "The buildports.pl tool failed -- installing the fallback Protocol/Ports Module"
cp -a /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm /usr/share/shorewall-perl/Shorewall/Ports.pm
fi
%preun
%files
@ -61,7 +54,6 @@ fi
%attr(0755,root,root) %dir /usr/share/shorewall-perl
%attr(0755,root,root) %dir /usr/share/shorewall-perl/Shorewall
%attr(755,root,root) /usr/share/shorewall-perl/buildports.pl
%attr(755,root,root) /usr/share/shorewall-perl/compiler.pl
%attr(0644,root,root) /usr/share/shorewall-perl/prog.header
%attr(0644,root,root) /usr/share/shorewall-perl/prog.functions
@ -72,6 +64,8 @@ fi
%doc COPYING releasenotes.txt
%changelog
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net

2
Shorewall-shell/README.txt
View File

@ -1 +1 @@
This is the Shorewall-shell Development 4.0 branch of SVN.
This is the Shorewall-shell Stable 4.0 branch of SVN.

5
Shorewall-shell/compiler
View File

@ -5415,6 +5415,7 @@ f=\$(find_file ipsets)
if [ -f \$f ]; then
progress_message2 "Restoring IPSETS..."
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < \$f
@ -5740,9 +5741,9 @@ usage() {
# E X E C U T I O N B E G I N S H E R E
#
#
# Start trace if first arg is "debug"
# Start trace if first arg is "debug" or "trace"
#
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; }
NOLOCK=

2
Shorewall-shell/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.4
VERSION=4.0.5
usage() # $1 = exit status
{

4
Shorewall-shell/shorewall-shell.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-shell
%define version 4.0.4
%define version 4.0.5
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -81,6 +81,8 @@ fi
%doc COPYING INSTALL
%changelog
* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net