diff --git a/Lrp2/etc/shorewall/shorewall.conf b/Lrp2/etc/shorewall/shorewall.conf
index 019ed6716..b04a17898 100755
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@@ -732,6 +732,34 @@ PKTTYPE=Yes
# DROPINVALID=Yes is assumed.
DROPINVALID=No
+
+#
+# RFC 1918 BEHAVIOR
+#
+# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
+# processing to cease for a packet if the packet's source IP address matches
+# the rule. Thus, if you have:
+#
+# SUBNETS TARGET
+# 192.168.1.0/24 RETURN
+#
+# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
+# also have:
+#
+# SUBNETS TARGET
+# 10.0.0.0/8 logdrop
+#
+# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
+# since while the packet's source matches the RETURN rule, the packet's
+# destination matches the 'logdrop' rule.
+#
+# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
+# RFC1918_STRICT=No is assumed.
+#
+# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
+# 'conntrack state' match.
+
+RFC1918_STRICT=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall
index 76c3b069f..fa4ed164b 100755
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@@ -5632,6 +5632,10 @@ initialize_netfilter () {
[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
+
+ [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
+ startup_error "RFC1918_STRICT=Yes requires conntrack state match"
+
echo "Determining Zones..."
determine_zones
@@ -5922,7 +5926,15 @@ add_common_rules() {
run_iptables -A rfc1918 -j DROP
- if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
+ chain=norfc1918
+
+ if [ -n "$RFC1918_STRICT" ]; then
+ #
+ # We'll generate two chains - one for source and one for destination
+ #
+ chain=rfc1918d
+ createchain $chain no
+ elif [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
#
# Mangling is enabled but conntrack match isn't available --
# create a chain in the mangle table to filter RFC1918 destination
@@ -5941,8 +5953,13 @@ add_common_rules() {
case $target in
logdrop)
target=rfc1918
+ s_target=rfc1918
;;
- DROP|RETURN)
+ DROP)
+ s_target=DROP
+ ;;
+ RETURN)
+ [ -n "$RFC1918_STRICT" ] && s_target=rfc1918d || s_target=RETURN
;;
*)
fatal_error "Invalid target ($target) for $networks"
@@ -5950,13 +5967,13 @@ add_common_rules() {
esac
for network in $(separate_list $networks); do
- run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
+ run_iptables2 -A norfc1918 $(source_ip_range $network) -j $s_target
if [ -n "$CONNTRACK_MATCH" ]; then
#
# We have connection tracking match -- match on the original destination
#
- run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
+ run_iptables2 -A $chain -m conntrack --ctorigdst $network -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
@@ -5967,6 +5984,8 @@ add_common_rules() {
done
done < $TMP_DIR/rfc1918
+ [ -n "$RFC1918_STRICT" ] && run_iptables -A norfc1918 -j rfc1918d
+
for host in $hosts; do
ipsec=${host%^*}
host=${host#*^}
@@ -7207,6 +7226,7 @@ do_initialize() {
LOGTAGONLY=
LOGALLNEW=
DROPINVALID=
+ RFC1918_STRICT=
RESTOREBASE=
TMP_DIR=
@@ -7402,6 +7422,7 @@ do_initialize() {
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
+ RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
#
# Strip the files that we use often
#
diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index b65884e26..049b52879 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -15,7 +15,7 @@
- 2005-02-01
+ 2005-03-102001-2005
@@ -2651,6 +2651,41 @@ eth0 eth1 206.124.146.176
+
+ RFC1918_STRICT
+
+
+ (Added at version 2.2.2) — Traditionally, the RETURN target in
+ the 'rfc1918' file has caused norfc1918 processing to cease for a
+ packet if the packet's source IP address matches the rule. Thus, if
+ you have this entry in /etc/shorewall/rfc1918:
+
+ #SUBNETS TARGET
+192.168.1.0/24 RETURN
+
+ then traffic from 192.168.1.4 to 10.0.3.9 will be accepted
+ even though you also have:
+
+ #SUBNETS TARGET
+10.0.0.0/8 logdrop
+
+ Setting RFC1918_STRICT=Yes in shorewall.conf will cause such
+ traffic to be logged and dropped since while the packet's source
+ matches the RETURN rule, the packet's destination matches the
+ 'logdrop' rule.
+
+ If not specified or specified as empty (e.g.,
+ RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.
+
+
+ RFC1918_STRICT=Yes requires that your kernel and iptables
+ support 'conntrack state' match.
+
+
+
+
DROPINVALID
@@ -3674,8 +3709,9 @@ all all tcp ftp-data - 8RETURN
- Process the packet normally thru the rules and
- policies.
+ Process the packet normally thru the rules and policies.
+ See also RFC1918_STRICT
+ above.
@@ -3984,6 +4020,16 @@ eth1 -
Revision History
+
+ 1.23
+
+ 2005-03-10
+
+ TE
+
+ Changes for Shorewall 2.2.2.
+
+
1.20
diff --git a/Shorewall-docs2/support.xml b/Shorewall-docs2/support.xml
index d53eae79b..9cba12db0 100644
--- a/Shorewall-docs2/support.xml
+++ b/Shorewall-docs2/support.xml
@@ -76,8 +76,8 @@
The Search
- facility linked from the Shorewall Home Page can locate
- documents and posts about similar problems:
+ facility can locate documents and posts about similar
+ problems:
@@ -86,7 +86,7 @@
Problem Reporting Guidelines
- Shorewall versions earlier that 1.4.0 are no longer
+ Shorewall versions earlier than 1.4.0 are no longer
supported.