From 2ff3d930a6050231247315073ac3e9d8cf111ec0 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 8 Sep 2004 20:47:23 +0000 Subject: [PATCH] Update for 2.1.8 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1612 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/etc/shorewall/blacklist | 6 +- LrpN/etc/shorewall/ecn | 4 +- LrpN/etc/shorewall/hosts | 8 +- LrpN/etc/shorewall/maclist | 4 +- LrpN/etc/shorewall/routestopped | 4 + LrpN/etc/shorewall/rules | 18 +- LrpN/etc/shorewall/tcrules | 39 +++- LrpN/etc/shorewall/tunnels | 5 +- LrpN/usr/share/shorewall/action.template | 12 +- LrpN/usr/share/shorewall/bogons | 4 +- LrpN/usr/share/shorewall/firewall | 266 ++++++++++++++--------- LrpN/usr/share/shorewall/functions | 21 +- LrpN/usr/share/shorewall/help | 4 +- LrpN/usr/share/shorewall/rfc1918 | 6 +- LrpN/usr/share/shorewall/version | 2 +- 15 files changed, 260 insertions(+), 143 deletions(-) diff --git a/LrpN/etc/shorewall/blacklist b/LrpN/etc/shorewall/blacklist index 063724daa..6ec2986c4 100644 --- a/LrpN/etc/shorewall/blacklist +++ b/LrpN/etc/shorewall/blacklist @@ -1,5 +1,5 @@ # -# Shorewall 2.0 -- Blacklist File +# Shorewall 2.1 -- Blacklist File # # /etc/shorewall/blacklist # @@ -7,7 +7,9 @@ # # Columns are: # -# ADDRESS/SUBNET - Host address, subnetwork or MAC address +# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address +# range (if your kernel and iptables contain iprange +# match support). # # MAC addresses must be prefixed with "~" and use "-" # as a separator. diff --git a/LrpN/etc/shorewall/ecn b/LrpN/etc/shorewall/ecn index eadda4b44..9b309eeb9 100644 --- a/LrpN/etc/shorewall/ecn +++ b/LrpN/etc/shorewall/ecn @@ -12,7 +12,9 @@ # the firewall # HOST(S) - (Optional) Comma-separated list of IP/subnet # If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. +# 0.0.0.0/0 is assumed. If your kernel and iptables +# include iprange match support then IP address ranges +# are also permitted. ############################################################################## #INTERFACE HOST(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/hosts b/LrpN/etc/shorewall/hosts index ff954b05d..d26d2694a 100644 --- a/LrpN/etc/shorewall/hosts +++ b/LrpN/etc/shorewall/hosts @@ -28,12 +28,15 @@ # a) The IP address of a host # b) A subnetwork in the form # / -# c) A physical port name; only allowed when the +# c) An IP address range of the form -. Your kernel and iptables must have iprange +# match support. +# d) A physical port name; only allowed when the # interface names a bridge created by the # brctl addbr command. This port must not # be defined in /etc/shorewall/interfaces and may # optionally followed by a colon (":") and a -# host or network IP. +# host or network IP or a range. # See http://www.shorewall.net/Bridge.html for details. # # Examples: @@ -43,6 +46,7 @@ # eth3:192.168.2.0/24,192.168.3.1 # br0:eth4 # br0:eth0:192.168.1.16/28 +# eth4:192.168.1.44-192.168.1.49 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: diff --git a/LrpN/etc/shorewall/maclist b/LrpN/etc/shorewall/maclist index af0fced97..147e5405e 100644 --- a/LrpN/etc/shorewall/maclist +++ b/LrpN/etc/shorewall/maclist @@ -15,7 +15,9 @@ # # IP ADDRESSES Optional -- if specified, both the MAC and IP address # must match. This column can contain a comma-separated -# list of host and/or subnet addresses. +# list of host and/or subnet addresses. If your kernel +# and iptables have iprange match support then IP +# address ranges are also allowed. ############################################################################## #INTERFACE MAC IP ADDRESSES (Optional) #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/routestopped b/LrpN/etc/shorewall/routestopped index e32e5e934..f67a3422f 100644 --- a/LrpN/etc/shorewall/routestopped +++ b/LrpN/etc/shorewall/routestopped @@ -12,6 +12,10 @@ # INTERFACE - Interface through which host(s) communicate with # the firewall # HOST(S) - (Optional) Comma-separated list of IP/subnet +# addresses. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. +# # If left empty or supplied as "-", # 0.0.0.0/0 is assumed. # OPTIONS - (Optional) A comma-separated list of diff --git a/LrpN/etc/shorewall/rules b/LrpN/etc/shorewall/rules index 407402915..8473c9358 100755 --- a/LrpN/etc/shorewall/rules +++ b/LrpN/etc/shorewall/rules @@ -118,6 +118,10 @@ # address; mac addresses must begin with "~" and must use # "-" as a separator. # +# Hosts may be specified as an IP address range using the +# syntax -. This requires that +# your kernel and iptables contain iprange match support. +# # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the @@ -129,6 +133,10 @@ # loc:~00-A0-C9-15-39-78 Host in the local zone with # MAC address 00:A0:C9:15:39:78. # +# net:192.0.2.11-192.0.2.17 +# Hosts 192.0.2.11-192.0.2.17 in +# the net zone. +# # Alternatively, clients may be specified by interface # by appending ":" to the zone name followed by the # interface name. For example, loc:eth1 specifies a @@ -159,7 +167,7 @@ # 3. You may not specify both an interface and # an address. # -# Unlike in the SOURCE column, you may specify a range of +# Like in the SOURCE column, you may specify a range of # up to 256 IP addresses using the syntax # -. When the ACTION is DNAT or DNAT-, # the connections will be assigned to addresses in the @@ -237,14 +245,6 @@ # destination address in the connection request does not # match any of the addresses listed. # -# The address (list) may optionally be followed by -# a colon (":") and a second IP address. This causes -# Shorewall to use the second IP address as the source -# address in forwarded packets. See the Shorewall -# documentation for restrictions concerning this feature. -# If no source IP address is given, the original source -# address is not altered. -# # RATE LIMIT You may rate-limit the rule by placing a value in # this colume: # diff --git a/LrpN/etc/shorewall/tcrules b/LrpN/etc/shorewall/tcrules index 4e1910775..faef717ca 100644 --- a/LrpN/etc/shorewall/tcrules +++ b/LrpN/etc/shorewall/tcrules @@ -14,20 +14,35 @@ # Columns are: # # -# MARK The mark value which is an -# integer in the range 1-255 +# MARK/ a) A mark value which is a integer in the range 1-255 +# CLASSIFY +# May optionally be followed by ":P" or ":F" +# where ":P" indicates that marking should occur in +# the PREROUTING chain and ":F" indicates that marking +# should occur in the FORWARD chain. If neither +# ":P" nor ":F" follow the mark value then the chain is +# determined by the setting of MARK_IN_FORWARD_CHAIN in +# /etc/shorewall/shorewall.conf. # -# May optionally be followed by ":P" or ":F" -# where ":P" indicates that marking should occur in -# the PREROUTING chain and ":F" indicates that marking -# should occur in the FORWARD chain. If neither -# ":P" nor ":F" follow the mark value then the chain is -# determined by the setting of MARK_IN_FORWARD_CHAIN in -# /etc/shorewall/shorewall.conf. +# b) A classification of the form : where +# and are integers. Corresponds to +# the 'class' specification in these traffic shaping +# modules: +# +# - atm +# - cbq +# - dsmark +# - pfifo_fast +# - htb +# - prio +# +# Marking always occurs in the POSTROUTING chain. # # SOURCE Source of the packet. A comma-separated list of # interface names, IP addresses, MAC addresses -# and/or subnets. Use $FW if the packet originates on +# and/or subnets. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. Use $FW if the packet originates on # the firewall in which case the MARK column may NOT # specify either ":P" or ":F" (marking always occurs # in the OUTPUT chain). @@ -38,7 +53,9 @@ # Example: ~00-A0-C9-15-39-78 # # DEST Destination of the packet. Comma separated list of -# IP addresses and/or subnets. +# IP addresses and/or subnets. If your kernel and +# iptables include iprange match support, IP address +# ranges are also allowed. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # or "all". diff --git a/LrpN/etc/shorewall/tunnels b/LrpN/etc/shorewall/tunnels index ffe832967..b6fbe5074 100644 --- a/LrpN/etc/shorewall/tunnels +++ b/LrpN/etc/shorewall/tunnels @@ -34,7 +34,10 @@ # # GATEWAY -- The IP address of the remote tunnel gateway. If the # remote getway has no fixed address (Road Warrior) -# then specify the gateway as 0.0.0.0/0. +# then specify the gateway as 0.0.0.0/0. May be +# specified as a network address and if your kernel and +# iptables include iprange match support then IP address +# ranges are also allowed. # # GATEWAY # ZONES -- Optional. If the gateway system specified in the third diff --git a/LrpN/usr/share/shorewall/action.template b/LrpN/usr/share/shorewall/action.template index fcc948d00..ccb68b66b 100644 --- a/LrpN/usr/share/shorewall/action.template +++ b/LrpN/usr/share/shorewall/action.template @@ -65,6 +65,10 @@ # # 155.186.235.0/24 Subnet 155.186.235.0/24 # +# 10.0.0.4-10.0.0.9 Range of IP addresses; your +# kernel and iptables must have +# iprange match support. +# # 192.168.1.1,192.168.1.2 # Hosts 192.168.1.1 and # 192.168.1.2. @@ -81,10 +85,6 @@ # DEST Location of Server. Same as above with the exception that # MAC addresses are not allowed. # -# Unlike in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. -# # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # "all". # @@ -159,6 +159,6 @@ # #of the 'kids' group # ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE -# PORT PORT(S) LIMIT +#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/bogons b/LrpN/usr/share/shorewall/bogons index 6d49a5cea..7b96cefde 100644 --- a/LrpN/usr/share/shorewall/bogons +++ b/LrpN/usr/share/shorewall/bogons @@ -14,7 +14,9 @@ # # Columns are: # -# SUBNET The subnet (host addresses also allowed) +# SUBNET The subnet (host addresses also allowed as are IP +# address ranges provided that your kernel and iptables +# include iprange match support). # TARGET Where to send packets to/from this subnet # RETURN - let the packet be processed normally # DROP - silently drop the packet diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index 157a4e6d7..a322653a8 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -507,6 +507,36 @@ first_chains() #$1 = interface echo ${c}_fwd ${c}_in } +# +# Source IP range +# +source_ip_range() # $1 = Address or Address Range +{ + case $1 in + *.*.*.*-*.*.*.*) + echo "-m iprange --src-range $1" + ;; + *) + echo "-s $1" + ;; + esac +} + +# +# Destination IP range +# +dest_ip_range() # $1 = Address or Address Range +{ + case $1 in + *.*.*.*-*.*.*.*) + echo "-m iprange --dst-range $1" + ;; + *) + echo "-d $1" + ;; + esac +} + # # Horrible hack to work around an iptables bug # @@ -529,17 +559,17 @@ match_source_hosts() if [ -n "$BRIDGING" ]; then case $1 in *:*) - physdev_echo "--physdev-in ${1%:*} -s ${1#*:}" + physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})" ;; *.*.*.*) - echo -s $1 + echo $(source_ip_range $1) ;; *) physdev_echo "--physdev-in $1" ;; esac else - echo -s $1 + echo $(source_ip_range $1) fi } @@ -548,17 +578,17 @@ match_dest_hosts() if [ -n "$BRIDGING" ]; then case $1 in *:*) - physdev_echo "--physdev-out ${1%:*} -d ${1#*:}" + physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})" ;; *.*.*.*) - echo -d $1 + echo $(dest_ip_range $1) ;; *) physdev_echo "--physdev-out $1" ;; esac else - echo -d $1 + echo $(dest_ip_range $1) fi } @@ -638,6 +668,15 @@ match_ipsec_out() # $1 = zone, $2 = host fi } +# +# Jacket for ip_range() that takes care of iprange match +# + +firewall_ip_range() # $1 = IP address or range +{ + [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1 +} + # # # Find hosts in a given zone @@ -1352,7 +1391,7 @@ stop_firewall() { else routeback=Yes for h in $(separate_list $host); do - iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT + iptables -A FORWARD -i $interface -s $h -o $interface $(dest_ip_range $h) -j ACCEPT done fi ;; @@ -1370,10 +1409,10 @@ stop_firewall() { networks=${host#*:} iptables -A INPUT -i $interface -s $networks -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && \ - iptables -A OUTPUT -o $interface -d $networks -j ACCEPT + iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT for host1 in $hosts; do - [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} -d ${host1#*:} -j ACCEPT + [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} $(dest_ip_range ${host1#*:}) -j ACCEPT done done @@ -1472,11 +1511,11 @@ setup_tunnels() # $1 = name of tunnels file [ $kind = IPSEC ] && kind=ipsec options="-m state --state NEW -j ACCEPT" - addrule $inchain -p 50 -s $1 -j ACCEPT - addrule $outchain -p 50 -d $1 -j ACCEPT + addrule $inchain -p 50 $(source_ip_range $1) -j ACCEPT + addrule $outchain -p 50 $(dest_ip_range $1) -j ACCEPT if [ -z "$noah" ]; then - run_iptables -A $inchain -p 51 -s $1 -j ACCEPT - run_iptables -A $outchain -p 51 -d $1 -j ACCEPT + run_iptables -A $inchain -p 51 $(source_ip_range $1) -j ACCEPT + run_iptables -A $outchain -p 51 $(dest_ip_range $1) -j ACCEPT fi run_iptables -A $outchain -p udp -d $1 --dport 500 $options @@ -1507,17 +1546,17 @@ setup_tunnels() # $1 = name of tunnels file setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol { - addrule $inchain -p $3 -s $2 -j ACCEPT - addrule $outchain -p $3 -d $2 -j ACCEPT + addrule $inchain -p $3 $(source_ip_range $2) -j ACCEPT + addrule $outchain -p $3 $(dest_ip_range $2) -j ACCEPT progress_message " $1 tunnel to $2 defined." } setup_pptp_client() # $1 = gateway { - addrule $outchain -p 47 -d $1 -j ACCEPT - addrule $inchain -p 47 -j ACCEPT - addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT + addrule $outchain -p 47 $(dest_ip_range $1) -j ACCEPT + addrule $inchain -p 47 -j ACCEPT + addrule $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT progress_message " PPTP tunnel to $1 defined." } @@ -1542,8 +1581,8 @@ setup_tunnels() # $1 = name of tunnels file ;; esac - addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT - addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT + addrule $inchain -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT + addrule $outchain -p udp $(dest_ip_range $1) --sport $p --dport $p -j ACCEPT progress_message " OPENVPN tunnel to $1:$p defined." } @@ -1570,8 +1609,8 @@ setup_tunnels() # $1 = name of tunnels file p=${p:+--dport $p} - addrule $inchain -p $protocol -s $1 $p -j ACCEPT - addrule $outchain -p $protocol -d $1 $p -j ACCEPT + addrule $inchain -p $protocol $(source_ip_range $1) $p -j ACCEPT + addrule $outchain -p $protocol $(dest_ip_range $1) $p -j ACCEPT for z in $(separate_list $3); do if validate_zone $z; then @@ -1967,7 +2006,7 @@ delete_proxy_arp() { # Setup Static Network Address Translation (NAT) # setup_nat() { - local external= interface= internal= allints= localnat= + local external= interface= internal= allints= localnat= policyin= policyout= validate_one() #1 = Variable Name, $2 = Column name, $3 = value { @@ -2005,15 +2044,15 @@ setup_nat() { validate_one localnat "LOCAL" $localnat if [ -n "$allints" ]; then - addnatrule nat_in -d $external -j DNAT --to-destination $internal - addnatrule nat_out -s $internal -j SNAT --to-source $external + addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal + addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external else - addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal - addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external + addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal + addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external fi [ -n "$localnat" ] && \ - run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal + run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal if [ -n "$add_ip_aliases" ]; then list_search $external $aliases_to_add || \ @@ -2025,6 +2064,11 @@ setup_nat() { # > ${STATEDIR}/nat + if [ -n "$POLICY_MATCH" ]; then + policyin="-m policy --pol none --dir in" + policyout="-m policy --pol none --dir out" + fi + save_progress_message "Restoring one-to-one NAT..." while read external interface internal allints localnat; do @@ -2124,20 +2168,27 @@ setup_ecn() # $1 = file name for host in $hosts; do interface=${host%:*} h=${host#*:} - run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove + run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove progress_message " ECN Disabled to $h through $interface" done fi } # -# Process a TC Rule - $marking_chain is assumed to contain the name of the +# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the # default marking chain # process_tc_rule() { - chain=$marking_chain - + chain=$MARKING_CHAIN + + verify_designator() { + [ "$chain" = tcout ] && \ + fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" + chain=$1 + mark="${mark%:*}" + } + add_a_tc_rule() { r= @@ -2179,33 +2230,37 @@ process_tc_rule() esac fi - [ "x$dest" = "x-" ] || r="${r}-d $dest " + [ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) " + [ "x$proto" = "x-" ] && proto=all + [ "x$proto" = "x" ] && proto=all [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$sport" = "x-" ] || r="${r}--sport $sport " - run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark + case $chain in + tcpost) + run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark + ;; + *) + run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark + ;; + esac } if [ "$mark" != "${mark%:*}" ]; then - - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - case "${mark#*:}" in p|P) - chain=tcpre + verify_designator tcpre ;; f|F) - chain=tcfor + verify_designator tcfor ;; *) - fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" + chain=tcpost ;; esac - mark="${mark%:*}" fi for source in $(separate_list ${sources:=-}); do @@ -2232,6 +2287,7 @@ setup_tc1() { run_iptables -t mangle -N tcpre run_iptables -t mangle -N tcfor run_iptables -t mangle -N tcout + run_iptables -t mangle -N tcpost # # Process the TC Rules File # @@ -2246,9 +2302,10 @@ setup_tc1() { # Link to the TC mangle chains from the main chains # - run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A PREROUTING -j tcpre - run_iptables -t mangle -A OUTPUT -j tcout + run_iptables -t mangle -A FORWARD -j tcfor + run_iptables -t mangle -A PREROUTING -j tcpre + run_iptables -t mangle -A OUTPUT -j tcout + run_iptables -t mangle -A POSTROUTING -j tcpost run_user_exit tcstart @@ -2367,10 +2424,10 @@ process_accounting_rule() { [ -n "$dest" ] && case $dest in *:*) accounting_interface_verify ${dest%:*} - rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})" + rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})" ;; *.*.*.*) - rule="$rule -d $dest" + rule="$rule $(dest_ip_range $dest)" ;; -|all|any) ;; @@ -2501,6 +2558,10 @@ check_config() { verify_os_version + if [ -n "$BRIDGING" ]; then + [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" + fi + echo "Determining Zones..." determine_zones @@ -2730,14 +2791,14 @@ add_an_action() if [ $COMMAND != check ]; then if [ -n "${serv}" ]; then for serv1 in $(separate_list $serv); do - for srv in $(ip_range $serv1); do + for srv in $(firewall_ip_range $serv1); do if [ -n "$loglevel" ]; then log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) fi run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target done done else @@ -3465,11 +3526,11 @@ add_nat_rule() { createnatchain $chain for adr in $(separate_list $addr); do - run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports -d $adr -j $chain + run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain done for adr in $excludedests; do - addnatrule $chain -d $adr -j RETURN + addnatrule $chain $(dest_ip_range $adr) -j RETURN done if [ -n "$loglevel" ]; then @@ -3481,10 +3542,10 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ - $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports) + $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) fi - run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup -d $adr $multiport $dports -j $target1 + run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1 done fi else @@ -3496,7 +3557,7 @@ add_nat_rule() { createnatchain $chain for adr in $(separate_list $addr); do - addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain + addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain done for z in $(separate_list $excludezones); do @@ -3507,7 +3568,7 @@ add_nat_rule() { done for adr in $excludedests; do - addnatrule $chain -d $adr -j RETURN + addnatrule $chain $(dest_ip_range $adr) -j RETURN done if [ -n "$loglevel" ]; then @@ -3520,7 +3581,7 @@ add_nat_rule() { if [ -n "$loglevel" ]; then ensurenatchain $chain log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \ - $(fix_bang $proto $cli $sports -d $adr $multiport $dports) + $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) fi addnatrule $chain $proto $ratelimit $cli $sports \ @@ -3607,10 +3668,10 @@ add_a_rule() ;; *:*) rule_interface_verify ${client%:*} - cli="$(match_source_dev ${client%:*}) -s ${client#*:}" + cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})" ;; *.*.*) - cli="-s $client" + cli="$(source_ip_range $client)" ;; ~*) cli=$(mac_match $client) @@ -3723,30 +3784,30 @@ add_a_rule() if [ -z "$dnat_only" ]; then if [ -n "$serv" ]; then for serv1 in $(separate_list $serv); do - for srv in $(ip_range $serv1); do + for srv in $(firewall_ip_range $serv1); do if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ - $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ - -d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target + $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $userandgroup -j $target done else if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ - $(fix_bang $proto $sports $multiport $cli -d $srv $dports) + $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi [ -n "$nonat" ] && \ addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN + $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN [ "$logtarget" != NONAT ] && \ run_iptables2 -A $chain $proto $multiport $cli $sports \ - -d $srv $dports $ratelimit $userandgroup -j $target + $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target fi done done @@ -3848,10 +3909,10 @@ process_rule() # $1 = target expandv logtag fi - if [ $loglevel = none ]; then + if [ "$loglevel" = none ]; then + [ "$target" = LOG ] && return loglevel= logtag= - [ $target = LOG ] && return fi loglevel=${loglevel%\!} @@ -4219,7 +4280,7 @@ process_tos_rule() { # # IP Address or networks # - src="-s $src" + src="$(source_ip_range $src)" ;; ~*) src=$(mac_match $src) @@ -4316,7 +4377,7 @@ process_tos_rule() { esac for dest in $dst; do - dest="-d $dest" + dest="$(dest_ip_range $dest)" case $srczone in $FW) @@ -4778,12 +4839,12 @@ setup_masq() destnets=${destnets#!} for destnet in $(separate_list $destnets); do - addnatrule $newchain -d $destnet -j RETURN + addnatrule $newchain $(dest_ip_range $destnet) -j RETURN done if [ -n "$networks" ]; then for s in $networks; do - addnatrule $chain -s $s $proto $ports $policy -j $newchain + addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain done networks= else @@ -4799,7 +4860,7 @@ setup_masq() if [ -n "$nomasq" ]; then for addr in $(separate_list $nomasq); do - addnatrule $chain -s $addr -j RETURN + addnatrule $chain $(source_ip_range $addr) -j RETURN done source="$source except $nomasq" fi @@ -4812,12 +4873,12 @@ setup_masq() if [ -n "$networks" ]; then for s in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet -s $s $proto $ports -j $newchain + addnatrule $chain $(dest_ip_range $destnet) $(source_ip_range $s) $proto $ports -j $newchain done done else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet $proto $ports $policy -j $newchain + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain done fi @@ -4830,7 +4891,7 @@ setup_masq() policy= for addr in $(separate_list $nomasq); do - addnatrule $chain -s $addr -j RETURN + addnatrule $chain $(source_ip_range $addr) -j RETURN done source="$source except $nomasq" @@ -4858,7 +4919,7 @@ setup_masq() if [ -n "$networks" ]; then for network in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain -s $network -d $destnet $proto $ports $policy -j $target $addrlist + addnatrule $chain $(source_ip_range $network) $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -4869,7 +4930,7 @@ setup_masq() done else for destnet in $(separate_list $destnets); do - addnatrule $chain -d $destnet $proto $ports $policy -j $target $addrlist + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -4927,7 +4988,7 @@ process_blacklist_rec() { source="--match mac --mac-source $addr" ;; *) - source="-s $addr" + source="$(source_ip_range $addr)" ;; esac @@ -5185,12 +5246,15 @@ determine_capabilities() { CONNTRACK_MATCH= MULTIPORT= POLICY_MATCH= + PHYSDEV_MATCH= + IPRANGE_MATCH= if qt iptables -N fooX1234 ; then - qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes - + qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes + qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes + qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt iptables -F fooX1234 qt iptables -X fooX1234 @@ -5223,6 +5287,8 @@ report_capabilities() { report_capability $CONNTRACK_MATCH "Connection Tracking Match" report_capability $PKTTYPE "Packet Type Match" report_capability $POLICY_MATCH "Policy Match" + report_capability $PHYSDEV_MATCH "Physdev Match" + report_capability $IPRANGE_MATCH "IP range Match" } # @@ -5237,6 +5303,10 @@ initialize_netfilter () { report_capabilities + if [ -n "$BRIDGING" ]; then + [ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" + fi + echo "Determining Zones..." determine_zones @@ -5369,7 +5439,7 @@ initialize_netfilter () { while read target ignore1 ignore2 address rest; do case $target in DROP|reject) - run_iptables2 -A dynamic -s $address -j $target + run_iptables2 -A dynamic $(source_ip_range $address) -j $target ;; *) ;; @@ -5408,7 +5478,7 @@ add_common_rules() { # for address in $broadcasts ; do [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address - run_iptables -A smurfs -s $address -j DROP + run_iptables -A smurfs $(source_ip_range $address) -j DROP done # # Reject Rules -- Don't respond to broadcasts with an ICMP @@ -5551,7 +5621,7 @@ add_common_rules() { ;; esac - run_iptables2 -A norfc1918 -s $networks -j $target + run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target if [ -n "$CONNTRACK_MATCH" ]; then # @@ -5563,7 +5633,7 @@ add_common_rules() { # No connection tracking match but we have mangling -- add a rule to # the mangle table # - run_iptables2 -t mangle -A man1918 -d $networks -j $target + run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target fi done < $TMP_DIR/rfc1918 @@ -5612,7 +5682,7 @@ add_common_rules() { ;; esac - run_iptables2 -A nobogons -s $networks -j $target + run_iptables2 -A nobogons $(source_ip_range $networks) -j $target done < $TMP_DIR/bogons @@ -6328,7 +6398,7 @@ add_to_zone() # $1 = [:] $2 = zone chain=${zone}_dnat if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) -s $host $policyin -j $chain + do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain fi # # Insert new rules into the filter table for the passed interface @@ -6336,7 +6406,7 @@ add_to_zone() # $1 = [:] $2 = zone while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) -s $host $policyin -j $chain + do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6346,7 +6416,7 @@ add_to_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi @@ -6355,7 +6425,7 @@ add_to_zone() # $1 = [:] $2 = zone # # Add a rule to the dynamic out chain for the interface # - do_iptables -A $(dynamic_out $interface) -d $host $policyout -j $chain + do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6364,7 +6434,7 @@ add_to_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain + do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain fi done fi @@ -6479,14 +6549,14 @@ delete_from_zone() # $1 = [:] $2 = zone # # Delete any nat table entries for the host(s) # - qt iptables -t nat -D $(dynamic_in $interface) -s $host $policyin -j ${zone}_dnat + qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat # # Delete rules rules the input chains for the passed interface # while read z1 z2 chain; do if [ "$z1" = "$zone" ]; then if [ "$z2" = "$FW" ]; then - qt iptables -D $(dynamic_in $interface) -s $host $policyin -j $chain + qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain else source_chain=$(dynamic_fwd $interface) eval dest_hosts=\"\$${z2}_hosts\" @@ -6496,13 +6566,13 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain fi done fi elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then - qt iptables -D $(dynamic_out $interface) -d $host $policyout -j $chain + qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain else eval source_hosts=\"\$${z1}_hosts\" @@ -6511,7 +6581,7 @@ delete_from_zone() # $1 = [:] $2 = zone hosts=${h#*:} if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain + qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain fi done fi @@ -6773,7 +6843,7 @@ do_initialize() { [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) - [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre + [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre if [ -n "$TC_ENABLED" ]; then CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) else diff --git a/LrpN/usr/share/shorewall/functions b/LrpN/usr/share/shorewall/functions index 791e035b1..04f9bc457 100644 --- a/LrpN/usr/share/shorewall/functions +++ b/LrpN/usr/share/shorewall/functions @@ -546,13 +546,20 @@ encodeaddr() { ip_range() { local first last l x y z vlsm - case $1 in - [0-9]*.*.*.*-*.*.*.*) - ;; - *) - echo $1 - return - ;; + case $1 in + !*) + # + # Let iptables complain if it's a range + # + echo $1 + return + ;; + [0-9]*.*.*.*-*.*.*.*) + ;; + *) + echo $1 + return + ;; esac first=$(decodeaddr ${1%-*}) diff --git a/LrpN/usr/share/shorewall/help b/LrpN/usr/share/shorewall/help index c29a8f301..c35657ec0 100755 --- a/LrpN/usr/share/shorewall/help +++ b/LrpN/usr/share/shorewall/help @@ -46,7 +46,9 @@ add) address|host) echo "<$1>: May be either a host IP address such as 192.168.1.4 or a network address in - CIDR format like 192.168.1.0/24" + CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange + match support then IP address ranges of the form - + are also permitted." ;; allow) diff --git a/LrpN/usr/share/shorewall/rfc1918 b/LrpN/usr/share/shorewall/rfc1918 index 42bd82e3d..2c6304a92 100644 --- a/LrpN/usr/share/shorewall/rfc1918 +++ b/LrpN/usr/share/shorewall/rfc1918 @@ -1,5 +1,5 @@ # -# Shorewall 2.0-- RFC1918 File +# Shorewall 2.1 -- RFC1918 File # # /etc/shorewall/rfc1918 # @@ -12,7 +12,9 @@ # # Columns are: # -# SUBNET The subnet (host addresses also allowed) +# SUBNET The subnet (host addresses also allowed as are IP +# address ranges provided that your kernel and iptables +# have iprange match support). # TARGET Where to send packets to/from this subnet # RETURN - let the packet be processed normally # DROP - silently drop the packet diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index 04b10b4f1..ebf14b469 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.1.7 +2.1.8