From 3f9c8996bb88626ac03bf47b539a8049784989cf Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 16 Jul 2006 23:06:18 +0000 Subject: [PATCH] Back out all post 3.2 changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4229 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/accounting | 2 +- Shorewall/changelog.txt | 283 ++++++++++++++++++- Shorewall/compiler | 404 +++++++++++++++++++++++++- Shorewall/firewall | 541 +++++++++++++++++++++++++++++++++++ Shorewall/help | 44 +++ Shorewall/releasenotes.txt | 564 ++++++++++++++++++++++++++++++++++++- Shorewall/shorewall | 522 +++------------------------------- Shorewall/shorewall.conf | 8 + 8 files changed, 1860 insertions(+), 508 deletions(-) diff --git a/Shorewall/accounting b/Shorewall/accounting index 5df8778bd..ad62063d0 100644 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Accounting File +# Shorewall version 3.2 - Accounting File # # /etc/shorewall/accounting # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b20697a42..b76cf9e41 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,5 +1,282 @@ -Changes in 3.3.1 +Changes in 3.2.1 -1) Once again, remove dynamic zones. +1) Change the detection of physdev match to use + --physdev-out. Preparation for removal of physdev-out match + capability. -2) Lay the groundwork for rewriting the compiler in Perl +2) Add missing edits to configuration parameters in firewall script. + +------------------------------------------------------------------------------- +Changes in 3.2.0 Final + +1) Avoid extraneous double quotes in log rules generated at run-time. + +Changes in 3.2.0 RC 6 + +1) Correct generation of the balanced default route. + +2) Allow 'detect' in the ADDRESS column of the masq file. + +3) Correct some permission problems. + +------------------------------------------------------------------------------- +Changes in 3.2.0 RC 5 + +1) Fix DOA 'LITEDIR' problem in /sbin/shorewall. + +2) Stop the compiler from running iptables. + +3) Avoid problem with ash. + +4) Make the 'try' command use the correct SHOREWALL_SHELL. + +5) Don't defer Action/chain extension script processing until + run-time. + +6) Run extension script for policy chains. + +------------------------------------------------------------------------------- +Changes in 3.2.0 RC 4 + +1) Fix permissions on Limit file. + +2) Make progress messages product-specific. + +3) Add 'reload' command. + +------------------------------------------------------------------------------- +Changes in 3.2.0 RC 3 + +1) Remove hard directory references from compiled programs. + +2) Fix /nat <-> /proxyarp typo. + +3) Avoid use of symbolic link for /sbin/shorewall + +------------------------------------------------------------------------------- +Changes in 3.2.0 RC 2 + +1) Update versions. + +2) Rationalize the use of IPTABLES and LOGFORMAT. + +3) Allow Shorewall/Shorewall-lite coexistance under RPM + +------------------------------------------------------------------------------- +Changes in 3.2.0 RC 1 + +1) Update versions. + +------------------------------------------------------------------------------- +Changes in 3.2.0 Beta 8 + +1) Issue more helpful BRIDGING=No error messages. + +2) Implement "all-" in rules file. + +3) Add xmodules file. + +4) Detect devices in tcdevices entries. + +5) Fix for white-space in log prefix. + +6) Fix rule parsing of single excluded MAC address. + +------------------------------------------------------------------------------- +Changes in 3.2.0 Beta 7 + +1) Fix mark/mask validation. + +2) Restore traffic control to 'refresh'. + +3) Detect MTU for entries in /etc/shorewall/tcdevices. + +4) Avoid fatal error after missing forwardUPnP rule warning. + +------------------------------------------------------------------------------- +Changes in 3.2.0 Beta 6 + +1) Fix tc "notfound" errors when 'restart' is run out of ip-up.local. + +2) Allow 'detectnets' to work. + +3) Add TOS column to tcrules. + +4) Fix 'proxyarp' interface attribute handling. + +5) Fix default route generation in providers handling. + +6) Change interraction of 'track' and PREROUTING marking. + +------------------------------------------------------------------------------- +Changes in 3.2.0 Beta 5 + +1) Fix compilation problem on LEAF Bering. + +2) Remove traffic shaping code from the 'firewall' script to avoid + unmaintainable code duplication. + +3) Fix DETECT_DNAT_IPADDRS=No bug. + +4) Handle absense of mangle FORWARD chain. + +5) Rename the rtrules file to route_rules. + +6) Fix deletion of SNAT ip addresses. + +7) Accomodate ancient kernel's with no FORWARD or POSTROUTING in mangle. + +8) Clear SUBSYSLOCK on Debian/Ubuntu installs. + +------------------------------------------------------------------------------- +Changes in 3.2.0 Beta 4 + +1) Fix 'routeback' with bridge ports. + +2) Add support for explicit routing rules. + +3) Fix mktempdir problem. + +4) Implement HIGH_ROUTE_MARKS + +Changes in 3.2.0 Beta 3 + +1) Correct handling of verbosity in the 'try' command. + +2) Add IMPLICIT_CONTINUE option to shorewall.conf. + +3) Fix SAME/ADD_SNAT_ALIASES interaction. + +------------------------------------------------------------------------------- +Changes in 3.2.0 Beta 2 + +1) Make "shorewall start -f" work correctly. + +2) Remove SUBSYSLOCK code from default and debian footers. + +3) Add 'refreshed' extension script. + +4) Implement 'logdrop' and 'logreject' + +------------------------------------------------------------------------------- +Changes in 3.1.x. and 3.2.x + +1) Removal of dynamic zones. + +2) Implement 'generate' command. + +3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq). + +4) Add back dynamic zones. + +5) Allow remote compiles. + +6) Change output of 'generate' to always be the file name entered (do not + prepend /var/lib/shorewall/) + +7) Remove some restrictions on remote compiles. + +8) Add error checking to generated script. + +9) Merge Fabio Longerai's 'length' patch. + +10) Add the "-p" option to the compile command. + +11) Fix 'check' bug in setup_masq + +12) Break compiler/firewall into two files + +13) Make Shoreall quiet for a change. + +14) Make "Compile-and-go" the only mode of operation. + +15) Remove -p + +16) Apply Tuomo's patches for IPSEC and Noecho. + +17) Fix bridging + +18) Fix QUEUE when used in the ESTABLISHED section. + +19) Apply Ed Suominen's patch to tcrules. +------------------------------------------------------------------------------- +3.1.5 + +20) Speed up compilation by rewriting 'fix_bang()'. + +21) Correct GATEWAY handling in the providers file. + +22) Remove sub-zone exclusion from DNAT/REDIRECT. + +23) Add compiled-program/library versioning scheme. + +------------------------------------------------------------------------------- +3.1.6 + +24) Apply Steven Springl's help patch. + +25) Fix 'allow/drop/reject' while Shorewall not running. + +26) Implement bi-directional macros. + +27) Fix TC bridge port handling. + +28) Fix/document "check -e" + +29) Automatically use capabilities file when non-root. + +30) Correct typo in help file ("help drop"). + +31) Added 'tcpsyn' + +------------------------------------------------------------------------------- +3.1.7 + +32) Change 'tcpsyn' to 'tcp:syn' + +33) Remove superfluous rules in MAC validation. + +34) Correct Makefile. + +35) Add -t option + +36) Restore log messages. + +37) Fix "shorewall capabilities" with VERBOSITY < 2. + +------------------------------------------------------------------------------- +3.1.8 + +38) Remove compile-time running of extension scripts. + +39) Correctly handle interfaces named 'inet'. + +40) SUBSYSLOCK functionality restored. + +------------------------------------------------------------------------------- +3.1.9 + +41) Fix Provider route generation when a specific gateway is specified. + +42) Be sure that restore file name is preserved regardless of 'set --' in + define_firewall().) + +43) Add Simon's redhat prog files. + +44) Add 'delete_nat' to compiled program. + +45) Move 'shorecap' to /usr/share/shorewall + +46) Add debian prog files. + +47) Correct syntax error in validate_policy() +------------------------------------------------------------------------------- +3.2.0 Beta 1. + +48) Streamlined some code in setup_tc1() + +49) Process /etc/shorewall/params at run-time. + +50) Add new modules to /etc/shorewall/modules. + +51) Make default behavior of "compile" distribution-neutral. diff --git a/Shorewall/compiler b/Shorewall/compiler index 70930025e..90a8888fb 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -613,6 +613,31 @@ macrecent_target() # $1 - interface [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN } +# +# Functions for creating dynamic zone rules +# +dynamic_fwd() # $1 = interface +{ + echo $(chain_base $1)_dynf +} + +dynamic_in() # $1 = interface +{ + echo $(chain_base $1)_dyni +} + +dynamic_out() # $1 = interface +{ + echo $(chain_base $1)_dyno +} + +dynamic_chains() #$1 = interface +{ + local c=$(chain_base $1) + + echo ${c}_dyni ${c}_dynf ${c}_dyno +} + # # DNAT Chain from a zone # @@ -7321,6 +7346,22 @@ __EOF__ done fi + if [ -n "$DYNAMIC_ZONES" ]; then + progress_message "$DOING Dynamic Zone Chains..." + + for interface in $ALL_INTERFACES; do + for chain in $(dynamic_chains $interface); do + createchain $chain no + done + + chain=$(dynamic_in $interface) + createnatchain $chain + + run_iptables -A $(input_chain $interface) -j $chain + run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) + run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) + done + fi # # UPnP # @@ -7452,6 +7493,12 @@ activate_rules() addnatjump POSTROUTING $(snat_chain $interface) -o $interface done # + # Add jumps for dynamic nat chains + # + [ -n "$DYNAMIC_ZONES" ] && for interface in $ALL_INTERFACES ; do + addrulejump PREROUTING $(dynamic_in $interface) -i $interface + done + # # Add jumps from the builtin chains to the nat chains # addnatjump PREROUTING nat_in @@ -7482,8 +7529,10 @@ activate_rules() if [ -n "$is_ipsec" ]; then eval source_hosts=\$${zone}_hosts + [ -n "$DYNAMIC_ZONES" ] && create_zone_dyn_chain $zone $frwd_chain else eval source_hosts=\$${zone}_ipsec_hosts + [ -n "$DYNAMIC_ZONES" -a -n "$source_hosts" ] && create_zone_dyn_chain $zone $frwd_chain fi for host in $source_hosts; do @@ -7509,6 +7558,11 @@ activate_rules() echo $zone $type $source_hosts >> $STATEDIR/zones + if [ -n "$DYNAMIC_ZONES" ]; then + echo "$FW $zone $chain1" >> $STATEDIR/chains + echo "$zone $FW $chain2" >> $STATEDIR/chains + fi + need_broadcast= for host in $source_hosts; do @@ -7558,6 +7612,8 @@ activate_rules() [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. + [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains + if [ $zone = $zone1 ]; then # # Try not to generate superfluous intra-zone rules @@ -8438,13 +8494,127 @@ __EOF__ } +# +# Determine the value for a parameter that defaults to Yes +# +added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value +{ + local val="$2" + + if [ -z "$val" ]; then + echo "Yes" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + fatal_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +# +# Determine the value for a parameter that defaults to No +# +added_param_value_no() # $1 = Parameter Name, $2 = Parameter value +{ + local val="$2" + + if [ -z "$val" ]; then + echo "" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + fatal_error "Invalid value ($val) for $1" + ;; + esac + fi +} + # # Initialize this program # do_initialize() { + # Run all utility programs using the C locale + # + # Thanks to Vincent Planchenault for this tip # + + export LC_ALL=C + + # Make sure umask is sane + umask 077 + + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + # + # Establish termination function + # TERMINATOR=fatal_error - + # + # Clear all configuration variables + # + VERSION= + IPTABLES= + FW= + SUBSYSLOCK= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + LOGLIMIT= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + LOG_MARTIANS= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= + FUNCTIONS= + VERSION_FILE= + LOGFORMAT= + LOGRULENUMBERS= + ADMINISABSENTMINDED= + BLACKLISTNEWONLY= + MODULE_SUFFIX= + ACTIONS= + USEDACTIONS= + SMURF_LOG_LEVEL= + DISABLE_IPV6= + BRIDGING= + DYNAMIC_ZONES= + PKTTYPE= + USEPKTYPE= + RETAIN_ALIASES= + DELAYBLACKLISTLOAD= + LOGTAGONLY= + LOGALLNEW= + RFC1918_STRICT= + MACLIST_TTL= + SAVE_IPSETS= + RESTOREFILE= + MAPOLDACTIONS= + IMPLICIT_CONTINUE= + HIGH_ROUTE_MARKS= + OUTPUT= TMP_DIR= ALL_INTERFACES= @@ -8452,6 +8622,7 @@ do_initialize() { IPSECMARK=256 PROVIDERS= CRITICALHOSTS= + IPSECFILE= EXCLUSION_SEQ=1 STOPPING= HAVE_MUTEX= @@ -8459,8 +8630,6 @@ do_initialize() { SECTION=ESTABLISHED SECTIONS= ALL_PORTS= - ACTIONS= - USEDACTIONS= SHAREDIR=/usr/share/shorewall VARDIR=/var/lib/shorewall @@ -8484,11 +8653,236 @@ do_initialize() { trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 + ensure_config_path + + VERSION_FILE=$SHAREDIR/version + + [ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE) + + run_user_exit params + + config=$(find_file shorewall.conf) + + if [ -f $config ]; then + if [ -r $config ]; then + progress_message "Processing $config..." + . $config + else + fatal_error "Cannot read $config (Hint: Are you root?)" + fi + else + fatal_error "$config does not exist!" + fi + + # + # Restore CONFIG_PATH if the shorewall.conf file cleared it + # + ensure_config_path + # + # Determine the capabilities of the installed iptables/netfilter + # We load the kernel modules here to accurately determine + # capabilities when module autoloading isn't enabled. + # + PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) + + [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] + + if [ -z "$EXPORT" -a "$(whoami)" = root ]; then + + load_kernel_modules + + if [ -z "$IPTABLES" ]; then + IPTABLES=$(mywhich iptables 2> /dev/null) + + [ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable" + else + [ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable" + fi + determine_capabilities + + else + f=$(find_file capabilities) + + [ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file" + fi + + ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)" + [ -n "$ALLOWRELATED" ] || \ + fatal_error "ALLOWRELATED=No is not supported" + ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" + + if [ -n "${LOGRATE}${LOGBURST}" ]; then + LOGLIMIT="--match limit" + [ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE" + [ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST" + fi + + if [ -n "$IP_FORWARDING" ]; then + case "$IP_FORWARDING" in + [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) + ;; + *) + fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" + ;; + esac + else + IP_FORWARDING=On + fi + + [ -n "${BLACKLIST_DISPOSITION:=DROP}" ] + + case "$CLAMPMSS" in + [0-9]*) + ;; + *) + CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) + ;; + esac + + ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) + ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) + LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) + DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) + FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) + [ -n "$FORWARDPING" ] && \ + fatal_error "FORWARDPING=Yes is no longer supported" + + maclist_target=reject + + if [ -n "$MACLIST_DISPOSITION" ] ; then + case $MACLIST_DISPOSITION in + REJECT) + ;; + DROP) + maclist_target=DROP + ;; + ACCEPT) + maclist_target=RETURN + ;; + *) + fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION" + ;; + esac + else + MACLIST_DISPOSITION=REJECT + fi + + if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then + case $TCP_FLAGS_DISPOSITION in + REJECT|ACCEPT|DROP) + ;; + *) + fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION" + ;; + esac + else + TCP_FLAGS_DISPOSITION=DROP + fi + + [ -n "${RFC1918_LOG_LEVEL:=info}" ] + + MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) + [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre + CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) + + if [ -n "$LOGFORMAT" ]; then + if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then + LOGRULENUMBERS=Yes + temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) + if [ $? -ne 0 ]; then + fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + else + temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) + if [ $? -ne 0 ]; then + fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" + fi + fi + + [ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" + else + LOGFORMAT="Shorewall:%s:%s:" + fi + ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) + BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) + DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) + BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) + DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) + [ -n "$DYNAMIC_ZONES" -a -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" + STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) + RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) + [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= + DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) + LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) + RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) + SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) + MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) + FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) + IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) + HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) + [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= + [ -n "$XMARK" ] || XCONNMARK= + + [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" + + case ${IPSECFILE:=ipsec} in + ipsec|zones) + ;; + *) + fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option" + ;; + esac + + case ${MACLIST_TABLE:=filter} in + filter) + ;; + mangle) + [ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle" + ;; *) + fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option" + ;; + esac + + TC_SCRIPT= + + if [ -n "$TC_ENABLED" ] ; then + case "$TC_ENABLED" in + [Yy][Ee][Ss]) + TC_ENABLED= + TC_SCRIPT=$(find_file tcstart) + [ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file" + ;; + [Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll]) + TC_ENABLED=Yes + ;; + [Nn][Oo]) + TC_ENABLED= + ;; + esac + else + TC_ENABLED=Yes + fi + + if [ -n "$TC_ENABLED" ];then + [ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables" + fi + + [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" + # # Strip the files that we use often # strip_file interfaces strip_file hosts + # + # Check out the user's shell + # + [ -n "${SHOREWALL_SHELL:=/bin/sh}" ] + + temp=$(decodeaddr 192.168.1.1) + if [ $(encodeaddr $temp) != 192.168.1.1 ]; then + fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" + fi if [ -z "$KLUDGEFREE" ]; then rm -f $TMP_DIR/physdev @@ -8512,12 +8906,14 @@ usage() { # # Start trace if first arg is "debug" # -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; env >&2; } +[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } NOLOCK= [ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; } +trap "exit 2" 1 2 3 4 5 6 9 + COMMAND="$1" case "$COMMAND" in diff --git a/Shorewall/firewall b/Shorewall/firewall index 39af93e40..b328917b5 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -383,6 +383,31 @@ macrecent_target() # $1 - interface [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN } +# +# Functions for creating dynamic zone rules +# +dynamic_fwd() # $1 = interface +{ + echo $(chain_base $1)_dynf +} + +dynamic_in() # $1 = interface +{ + echo $(chain_base $1)_dyni +} + +dynamic_out() # $1 = interface +{ + echo $(chain_base $1)_dyno +} + +dynamic_chains() #$1 = interface +{ + local c=$(chain_base $1) + + echo ${c}_dyni ${c}_dynf ${c}_dyno +} + # # DNAT Chain from a zone # @@ -1300,6 +1325,95 @@ clear_firewall() { logger "Shorewall Cleared" } +# +# Process the ipsec information in the zones file +# +setup_ipsec() { + local zone using_ipsec= + + do_options() # $1 = _in, _out or "" - $2 = option list + { + local option opts newoptions= val + + [ x${2} = x- ] && return + + opts=$(separate_list $2) + + for option in $opts; do + val=${option#*=} + + case $option in + mss=[0-9]*) ;; + strict) newoptions="$newoptions --strict" ;; + next) newoptions="$newoptions --next" ;; + reqid=*) newoptions="$newoptions --reqid $val" ;; + spi=*) newoptions="$newoptions --spi $val" ;; + proto=*) newoptions="$newoptions --proto $val" ;; + mode=*) newoptions="$newoptions --mode $val" ;; + tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; + tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; + reqid!=*) newoptions="$newoptions ! --reqid $val" ;; + spi!=*) newoptions="$newoptions ! --spi $val" ;; + proto!=*) newoptions="$newoptions ! --proto $val" ;; + mode!=*) newoptions="$newoptions ! --mode $val" ;; + tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; + tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; + *) fatal_error "Invalid option \"$option\" for zone $zone" ;; + esac + done + + if [ -n "$newoptions" ]; then + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + eval ${zone}_is_complex=Yes + eval ${zone}_ipsec${1}_options=\"${newoptions# }\" + fi + } + + case $IPSECFILE in + zones) + f=zones + progress_message "Setting up IPSEC..." + ;; + *) + f=$IPSECFILE + strip_file $f + progress_message "Processing $f..." + using_ipsec=Yes + ;; + esac + + while read zone type options in_options out_options mss; do + expandv zone type options in_options out_options mss + + if [ -n "$using_ipsec" ]; then + validate_zone1 $zone || fatal_error "Unknown zone: $zone" + fi + + if [ -n "$type" ]; then + if [ -n "$using_ipsec" ]; then + case $type in + No|no) + ;; + Yes|yes) + [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" + eval ${zone}_is_ipsec=Yes + eval ${zone}_is_complex=Yes + eval ${zone}_type=ipsec4 + ;; + *) + fatal_error "Invalid IPSEC column contents" + ;; + esac + fi + + do_options "" $options + do_options "_in" $in_options + do_options "_out" $out_options + fi + + done < $TMP_DIR/$f +} + # # Delete existing Proxy ARP # @@ -1369,6 +1483,34 @@ delete_nat() { [ -d $STATEDIR ] && touch $STATEDIR/nat } +# +# Setup Network Mapping (NETMAP) +# +setup_netmap() { + + while read type net1 interface net2 ; do + expandv type net1 interface net2 + + list_search $interface $ALL_INTERFACES || \ + fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" + + case $type in + DNAT) + addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2 + ;; + SNAT) + addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2 + ;; + *) + fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\"" + ;; + esac + + progress_message " Network $net1 on $interface mapped to $net2 ($type)" + + done < $TMP_DIR/netmap +} + # # Setup ECN disabling rules # @@ -1693,6 +1835,368 @@ refresh_firewall() rm -rf $TMP_DIR } +# +# Add a host or networks to a zone +# +add_to_zone() # $1...${n-1} = [:] $n = zone +{ + local interface host zone z h z1 z2 chain + local dhcp_interfaces blacklist_interfaces maclist_interfaces + local tcpflags_interfaces newhostlist= + local rulenum source_chain dest_hosts iface hosts hostlist= + + nat_chain_exists() # $1 = chain name + { + qt $IPTABLES -t nat -L $1 -n + } + + do_iptables() # $@ = command + { + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + + if ! $IPTABLES $@ ; then + error_message "ERROR: Can't add $newhost to zone $zone" + fi + } + + # + # Load $zones + # + determine_zones + # + # Validate Interfaces File + # + validate_interfaces_file + # + # Validate Hosts File + # + validate_hosts_file + # + # Validate IPSec File + # + f=$(find_file $IPSECFILE) + + [ -f $f ] && setup_ipsec $f + # + # Normalize host list + # + while [ $# -gt 1 ]; do + interface=${1%%:*} + host=${1#*:} + # + # Be sure that the interface was dynamic at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi + + if [ -z "$host" ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + for h in $(separate_list $host); do + hostlist="$hostlist $interface:$h" + done + fi + + shift + done + # + # Validate Zone + # + zone=$1 + + validate_zone $zone || startup_error "Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" + + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" + [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" + # + # Check for duplicates and create a new zone state file + # + > ${VARDIR}/zones_$$ + + while read z type hosts; do + if [ "$z" = "$zone" ]; then + for h in $hostlist; do + list_search $h $hosts + if [ "$?" -gt 0 ]; then + newhostlist="$newhostlist $h" + else + error_message "$h already in zone $zone" + fi + done + + [ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist" + fi + + eval ${z}_hosts=\"$hosts\" + + echo "$z $type $hosts" >> ${VARDIR}/zones_$$ + done < ${VARDIR}/zones + + mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones + + TERMINATOR=fatal_error + # + # Create a new Zone state file + # + for newhost in $newhostlist; do + # + # Isolate interface and host parts + # + interface=${newhost%%:*} + host=${newhost#*:} + # + # If the zone passed in the command has a dnat chain then insert a rule in + # the nat table PREROUTING chain to jump to that chain when the source + # matches the new host(s)# + # + chain=${zone}_dnat + + if nat_chain_exists $chain; then + do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain + fi + # + # Insert new rules into the filter table for the passed interface + # + while read z1 z2 chain; do + [ "$z1" = "$z2" ] && op="-I" || op="-A" + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain + else + source_chain=$(dynamic_fwd $interface) + if is_ipsec_host $z1 $newhost ; then + do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd + else + eval dest_hosts=\"\$${z2}_hosts\" + + for h in $dest_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain + fi + done + fi + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + # + # Add a rule to the dynamic out chain for the interface + # + do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + if is_ipsec_host $z1 $h; then + do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + else + do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + fi + fi + done + fi + fi + done < ${VARDIR}/chains + + progress_message "$newhost added to zone $zone" + + done + + rm -rf $TMP_DIR +} + +# +# Delete a host or networks from a zone +# +delete_from_zone() # $1 = [:] $2 = zone +{ + local interface host zone z h z1 z2 chain delhost + local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces + local rulenum source_chain dest_hosts iface hosts hostlist= + + # + # Load $zones + # + determine_zones + # + # Validate Interfaces File + # + validate_interfaces_file + # + # Validate Hosts File + # + validate_hosts_file + # + # Validate IPSec File + # + f=$(find_file ipsec) + + [ -f $f ] && setup_ipsec $f + + # + # Normalize host list + # + while [ $# -gt 1 ]; do + interface=${1%%:*} + host=${1#*:} + # + # Be sure that the interface was dynamic at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi + + if [ -z "$host" ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + for h in $(separate_list $host); do + hostlist="$hostlist $interface:$h" + done + fi + + shift + done + # + # Validate Zone + # + zone=$1 + + validate_zone $zone || startup_error "Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" + + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found" + [ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found" + # + # Delete the passed hosts from the zone state file + # + > ${VARDIR}/zones_$$ + + while read z hosts; do + if [ "$z" = "$zone" ]; then + temp=$hosts + hosts= + + for host in $hostlist; do + found= + for h in $temp; do + if [ "$h" = "$host" ]; then + found=Yes + break + fi + done + + [ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone" + done + + for h in $temp; do + found= + for host in $hostlist; do + if [ "$h" = "$host" ]; then + found=Yes + break + fi + done + + [ -n "$found" ] || hosts="$hosts $h" + done + fi + + eval ${z}_hosts=\"$hosts\" + + echo "$z $hosts" >> ${VARDIR}/zones_$$ + done < ${VARDIR}/zones + + mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones + + TERMINATOR=fatal_error + + for delhost in $hostlist; do + interface=${delhost%%:*} + host=${delhost#*:} + # + # Delete any nat table entries for the host(s) + # + qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat + # + # Delete rules rules the input chains for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain + else + source_chain=$(dynamic_fwd $interface) + if is_ipsec_host $z1 $delhost ; then + qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd + else + eval dest_hosts=\"\$${z2}_hosts\" + + [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" + + for h in $dest_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain + fi + done + fi + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + if is_ipsec_host $z1 $h; then + qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + else + qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + fi + fi + done + fi + fi + done < ${VARDIR}/chains + + progress_message "$delhost removed from zone $zone" + + done + + rm -rf $TMP_DIR +} + # # Determine the value for a parameter that defaults to Yes # @@ -1799,6 +2303,7 @@ do_initialize() { SMURF_LOG_LEVEL= DISABLE_IPV6= BRIDGING= + DYNAMIC_ZONES= PKTTYPE= USEPKTYPE= RETAIN_ALIASES= @@ -2002,6 +2507,7 @@ do_initialize() { BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) + DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES) STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= @@ -2012,6 +2518,11 @@ do_initialize() { MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) + HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) + [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= + [ -n "$XMARK" ] || XCONNMARK= + + [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support" case ${IPSECFILE:=ipsec} in ipsec|zones) @@ -2162,6 +2673,36 @@ case "$COMMAND" in my_mutex_off ;; + add) + [ $# -lt 3 ] && usage + do_initialize + my_mutex_on + if ! shorewall_is_started ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + shift + add_to_zone $@ + my_mutex_off + ;; + + delete) + [ $# -lt 3 ] && usage + do_initialize + my_mutex_on + if ! shorewall_is_started ; then + echo "Shorewall Not Started" + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + my_mutex_off + exit 2; + fi + shift + delete_from_zone $@ + my_mutex_off + ;; + call) # # Undocumented way to call functions in ${SHAREDIR}/firewall directly diff --git a/Shorewall/help b/Shorewall/help index 61831ffba..d67d9698c 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -28,6 +28,28 @@ case $1 in +add) + echo "add: add [:] ... + Adds a list of hosts or subnets to a dynamic zone usually used with VPN's. + + shorewall add interface:host-list ... zone - Adds the specified interface + (and host-list if included) to the specified zone. + + A host-list is a comma-separated list whose elements are: + + A host or network address + The name of a bridge port + The name of a bridge port followed by a colon (":") and a host or + network address. + + Example: + + shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 + from interface ipsec0 to the zone vpn1. + + See also \"help host\"" + ;; + address|host) echo "<$1>: May be either a host IP address such as 192.168.1.4 or a network address in @@ -100,6 +122,28 @@ debug) The word 'trace' is a synonym for 'debug'." ;; +delete) + echo "delete: delete [:] ... + Deletes a list of hosts or networks from a dynamic zone usually used with VPN's. + + shorewall delete interface[:host-list] ... zone - Deletes the specified + interfaces (and host list if included) from the specified zone. + + A host-list is a comma-separated list whose elements are: + + A host or network address + The name of a bridge port + The name of a bridge port followed by a colon (":") and a host or + network address. + + Example: + + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address + 192.0.2.24 from interface ipsec0 from zone vpn1 + + See also \"help host\"" + ;; + drop) echo "$1: $1
... Causes packets from the specified
to be ignored diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 5b8e831cd..29efad2a4 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.3.0 +Shorewall 3.2.1 Note to users upgrading from Shorewall 2.x or 3.0 @@ -31,17 +31,561 @@ Note to users upgrading from Shorewall 2.x or 3.0 Please see the "Migration Considerations" below for additional upgrade information. -Problems corrected in 3.3.0 +Problems Corrected in 3.2.1 None. -Migration Issues. - -1) Support for dynamic zones has been removed from Shorewall - (/sbin/shorewall add and delete commands). Use ipsets to define - your dynamic zones as described at - http://www.shorewall.net/DynamicZones.html. - -New Features. +Other changes in 3.2.1 None. + +Migration Considerations: + +1) If you are upgrading from Shorewall 2.x, it is essential that you read + the Shorewall 3.0.8 (or later) release notes: + + http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.8/releasenotes.txt + +2) A number of macros have been split into two. The macros affected are: + + IMAP LDAP NNTP POP3 SMTP + + Each of these macros now handles only traffic on the native (plaintext) + port. There is a corresponding macro with S added to the end of the + name for the SSL version of the same protocol. Thus each macro results + in the insertion of only one port per invocation. + + The Web macro has not been split, but two new macros, HTTP and HTTPS have + been created. The Web macro is deprecated in favour of these new macros, + and may be removed from future Shorewall releases. + + These changes have been made to ensure no unexpected ports are opened due + to the use of macros. + +3) In previous Shorewall releases, DNAT and REDIRECT rules supported a + special syntax for exclusion of a sub-zone from the effect of the rule. + + Example: + + Z2 is a subzone of Z1: + + DNAT Z1!Z2 loc:192.168.1.4 ... + + That feature has never worked correctly when Z2 is a dynamic zone. + Furthermore, now that Shorewall supports exclusion lists, the capability + is redundant since the above rule can now be written in the form: + + DNAT Z1:! loc:192.168.1.4 ... + + Beginning with Shorewall 3.2.0, the special exclusion syntax will no + longer be supported. + +4) Important if you use the QUEUE target. + + In the /etc/shorewall/rules file and in actions, you may now specify + 'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also + requires that the SYN flag is set and the RST, FIN and ACK flags be + off ("--syn" is added to the iptables rule). + + As part of this change, Shorewall no longer adds the "--syn" option + to TCP rules that specify QUEUE as their target. + +5) Extension Scripts may require change + + In previous releases, extension scripts were executed during [re]start + by using the Bourne Shell "." operator. In addition to executing commands + during [re]start, these scripts had to "save" the commands to be executed + during "shorewall restore". + + This clumsiness has been eliminated in Shorewall 3.2. In Shorewall 3.2, + extension scripts are copied in-line into the compiled program and are + executed in-line during "start", "restart" and "restore". This + applies to all extension scripts except those associated with a + chain or action -- those extension scripts continue to be processed + at compile time. + + This new approach has two implications for existing scripts. + + a) It is no longer necessary to save the commands; so functions like + 'save_command', 'run_and_save_command' and 'ensure_and_save_command' + need no longer be called. For convenience, the generated program will + supply functions with these names: + + save_command() - does nothing + run_and_save_command() - runs the passed command + ensure_and_save_command() - runs the passed command and + stops/restores the firewall if the + command fails. + + These functions should provide for transparent migration of + scripts that use them until you can get around to eliminating + their use completely. + + b) When the extension script is copied into the compiled program, it + is indented to line up with the surrounding code. If you have 'awk' + installed on your system, the Shorewall compiler will correctly handle + line continuation (last character on the line = "\"). If you do not + have awk, it will not be possible to use line-continuation in your + extension scripts. + + In no case is it possible to continue a quoted string over multiple lines + without having additional whitespace inserted into the string. + +6) Beginning with this release, the way in which packet marking in the + PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers + has changed in two ways: + + a) Packets arriving on a tracked interface are now passed to the PREROUTING + marking chain so that they may be marked with a mark other than the + 'track' mark (the connection still retains the 'track' mark). + + b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets + in the PREROUTING chain (i.e., you can specify a mark value of zero). + +7) Kernel version 2.6.16 introduces 'xtables', a new common packet + filtering and connection tracking facility that supports both IPv4 + and IPv6. Because a different set of kernel modules must be loaded + for xtables, Shorewall now includes two 'modules' files: + + a) /usr/share/shorewall/modules -- the former + /etc/shorewall/modules + + b) /usr/share/shorewall/xmodules -- a new file that support + xtables. + + If you wish to use the new file, then simply execute this command: + + cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules + +New Features: + +1) Shorewall has always been very noisy (lots of messages). No longer. + + You set the default level of verbosity using the VERBOSITY option in + shorewall.conf. If you don't set it (as would be the case of you use your + old shorewall.conf file) then VERBOSITY defaults to a value of 2 which + results in behavior compatible with previous Shorewall versions. + A value of 1 suppresses some of the output (like the old -q option did) + while a value of 0 makes Shorewall almost silent. A value of -1 + suppresses all output except warning and error messages. + + The value specified in the 3.2 shorewall.conf is 1. So you can make + Shorewall as verbose as previously using a single -v and you can make it + almost silent by using a single -q. + + If VERBOSITY is set at 2, you can still make a command nearly + silent by using two "q"s (e.g., shorewall -qq restart). + + In summary, each "q" subtracts one from VERBOSITY while each "v" adds one + to VERBOSITY. + + The "shorewall show log", "shorewall logwatch" and "shorewall dump" + commands require VERBOSITY to be greater than or equal to 3 to + display MAC addresses.This is consistent with the previous + implementation which required a single -v to enable MAC display but + means that if you set VERBOSITY=0 in shorewall.conf, then you will + need to include -vvv in commands that display log records in order + to have MACs displayed. + + To make the display of MAC addresses less cumbersome, a '-m' option has + been added to the "show" and logwatch commands: + + shorewall show -m log + shorewall logwatch -m + +2) A new 'shorewall compile' command has been added. + + shorewall compile [ -e ] [ ]