holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Back out all post 3.2 changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4229 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-07-16 23:06:18 +00:00
parent 91626f050a
commit 3f9c8996bb
8 changed files with 1860 additions and 508 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/accounting
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 3.4 - Accounting File # Shorewall version 3.2 - Accounting File
# #
# /etc/shorewall/accounting # /etc/shorewall/accounting
# #

283
Shorewall/changelog.txt
View File

@ -1,5 +1,282 @@
Changes in 3.3.1 Changes in 3.2.1
1) Once again, remove dynamic zones. 1) Change the detection of physdev match to use
--physdev-out. Preparation for removal of physdev-out match
capability.
2) Lay the groundwork for rewriting the compiler in Perl 2) Add missing edits to configuration parameters in firewall script.
-------------------------------------------------------------------------------
Changes in 3.2.0 Final
1) Avoid extraneous double quotes in log rules generated at run-time.
Changes in 3.2.0 RC 6
1) Correct generation of the balanced default route.
2) Allow 'detect' in the ADDRESS column of the masq file.
3) Correct some permission problems.
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 5
1) Fix DOA 'LITEDIR' problem in /sbin/shorewall.
2) Stop the compiler from running iptables.
3) Avoid problem with ash.
4) Make the 'try' command use the correct SHOREWALL_SHELL.
5) Don't defer Action/chain extension script processing until
run-time.
6) Run extension script for policy chains.
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 4
1) Fix permissions on Limit file.
2) Make progress messages product-specific.
3) Add 'reload' command.
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 3
1) Remove hard directory references from compiled programs.
2) Fix /nat <-> /proxyarp typo.
3) Avoid use of symbolic link for /sbin/shorewall
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 2
1) Update versions.
2) Rationalize the use of IPTABLES and LOGFORMAT.
3) Allow Shorewall/Shorewall-lite coexistance under RPM
-------------------------------------------------------------------------------
Changes in 3.2.0 RC 1
1) Update versions.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 8
1) Issue more helpful BRIDGING=No error messages.
2) Implement "all-" in rules file.
3) Add xmodules file.
4) Detect devices in tcdevices entries.
5) Fix for white-space in log prefix.
6) Fix rule parsing of single excluded MAC address.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 7
1) Fix mark/mask validation.
2) Restore traffic control to 'refresh'.
3) Detect MTU for entries in /etc/shorewall/tcdevices.
4) Avoid fatal error after missing forwardUPnP rule warning.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 6
1) Fix tc "notfound" errors when 'restart' is run out of ip-up.local.
2) Allow 'detectnets' to work.
3) Add TOS column to tcrules.
4) Fix 'proxyarp' interface attribute handling.
5) Fix default route generation in providers handling.
6) Change interraction of 'track' and PREROUTING marking.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 5
1) Fix compilation problem on LEAF Bering.
2) Remove traffic shaping code from the 'firewall' script to avoid
unmaintainable code duplication.
3) Fix DETECT_DNAT_IPADDRS=No bug.
4) Handle absense of mangle FORWARD chain.
5) Rename the rtrules file to route_rules.
6) Fix deletion of SNAT ip addresses.
7) Accomodate ancient kernel's with no FORWARD or POSTROUTING in mangle.
8) Clear SUBSYSLOCK on Debian/Ubuntu installs.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 4
1) Fix 'routeback' with bridge ports.
2) Add support for explicit routing rules.
3) Fix mktempdir problem.
4) Implement HIGH_ROUTE_MARKS
Changes in 3.2.0 Beta 3
1) Correct handling of verbosity in the 'try' command.
2) Add IMPLICIT_CONTINUE option to shorewall.conf.
3) Fix SAME/ADD_SNAT_ALIASES interaction.
-------------------------------------------------------------------------------
Changes in 3.2.0 Beta 2
1) Make "shorewall start -f" work correctly.
2) Remove SUBSYSLOCK code from default and debian footers.
3) Add 'refreshed' extension script.
4) Implement 'logdrop' and 'logreject'
-------------------------------------------------------------------------------
Changes in 3.1.x. and 3.2.x
1) Removal of dynamic zones.
2) Implement 'generate' command.
3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).
4) Add back dynamic zones.
5) Allow remote compiles.
6) Change output of 'generate' to always be the file name entered (do not
prepend /var/lib/shorewall/)
7) Remove some restrictions on remote compiles.
8) Add error checking to generated script.
9) Merge Fabio Longerai's 'length' patch.
10) Add the "-p" option to the compile command.
11) Fix 'check' bug in setup_masq
12) Break compiler/firewall into two files
13) Make Shoreall quiet for a change.
14) Make "Compile-and-go" the only mode of operation.
15) Remove -p
16) Apply Tuomo's patches for IPSEC and Noecho.
17) Fix bridging
18) Fix QUEUE when used in the ESTABLISHED section.
19) Apply Ed Suominen's patch to tcrules.
-------------------------------------------------------------------------------
3.1.5
20) Speed up compilation by rewriting 'fix_bang()'.
21) Correct GATEWAY handling in the providers file.
22) Remove sub-zone exclusion from DNAT/REDIRECT.
23) Add compiled-program/library versioning scheme.
-------------------------------------------------------------------------------
3.1.6
24) Apply Steven Springl's help patch.
25) Fix 'allow/drop/reject' while Shorewall not running.
26) Implement bi-directional macros.
27) Fix TC bridge port handling.
28) Fix/document "check -e"
29) Automatically use capabilities file when non-root.
30) Correct typo in help file ("help drop").
31) Added 'tcpsyn'
-------------------------------------------------------------------------------
3.1.7
32) Change 'tcpsyn' to 'tcp:syn'
33) Remove superfluous rules in MAC validation.
34) Correct Makefile.
35) Add -t option
36) Restore log messages.
37) Fix "shorewall capabilities" with VERBOSITY < 2.
-------------------------------------------------------------------------------
3.1.8
38) Remove compile-time running of extension scripts.
39) Correctly handle interfaces named 'inet'.
40) SUBSYSLOCK functionality restored.
-------------------------------------------------------------------------------
3.1.9
41) Fix Provider route generation when a specific gateway is specified.
42) Be sure that restore file name is preserved regardless of 'set --' in
define_firewall().)
43) Add Simon's redhat prog files.
44) Add 'delete_nat' to compiled program.
45) Move 'shorecap' to /usr/share/shorewall
46) Add debian prog files.
47) Correct syntax error in validate_policy()
-------------------------------------------------------------------------------
3.2.0 Beta 1.
48) Streamlined some code in setup_tc1()
49) Process /etc/shorewall/params at run-time.
50) Add new modules to /etc/shorewall/modules.
51) Make default behavior of "compile" distribution-neutral.

402
Shorewall/compiler
View File

@ -613,6 +613,31 @@ macrecent_target() # $1 - interface
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
} }
#
# Functions for creating dynamic zone rules
#
dynamic_fwd() # $1 = interface
{
echo $(chain_base $1)_dynf
}
dynamic_in() # $1 = interface
{
echo $(chain_base $1)_dyni
}
dynamic_out() # $1 = interface
{
echo $(chain_base $1)_dyno
}
dynamic_chains() #$1 = interface
{
local c=$(chain_base $1)
echo ${c}_dyni ${c}_dynf ${c}_dyno
}
# #
# DNAT Chain from a zone # DNAT Chain from a zone
# #
@ -7321,6 +7346,22 @@ __EOF__
done done
fi fi
if [ -n "$DYNAMIC_ZONES" ]; then
progress_message "$DOING Dynamic Zone Chains..."
for interface in $ALL_INTERFACES; do
for chain in $(dynamic_chains $interface); do
createchain $chain no
done
chain=$(dynamic_in $interface)
createnatchain $chain
run_iptables -A $(input_chain $interface) -j $chain
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
done
fi
# #
# UPnP # UPnP
# #
@ -7452,6 +7493,12 @@ activate_rules()
addnatjump POSTROUTING $(snat_chain $interface) -o $interface addnatjump POSTROUTING $(snat_chain $interface) -o $interface
done done
# #
# Add jumps for dynamic nat chains
#
[ -n "$DYNAMIC_ZONES" ] && for interface in $ALL_INTERFACES ; do
addrulejump PREROUTING $(dynamic_in $interface) -i $interface
done
#
# Add jumps from the builtin chains to the nat chains # Add jumps from the builtin chains to the nat chains
# #
addnatjump PREROUTING nat_in addnatjump PREROUTING nat_in
@ -7482,8 +7529,10 @@ activate_rules()
if [ -n "$is_ipsec" ]; then if [ -n "$is_ipsec" ]; then
eval source_hosts=\$${zone}_hosts eval source_hosts=\$${zone}_hosts
[ -n "$DYNAMIC_ZONES" ] && create_zone_dyn_chain $zone $frwd_chain
else else
eval source_hosts=\$${zone}_ipsec_hosts eval source_hosts=\$${zone}_ipsec_hosts
[ -n "$DYNAMIC_ZONES" -a -n "$source_hosts" ] && create_zone_dyn_chain $zone $frwd_chain
fi fi
for host in $source_hosts; do for host in $source_hosts; do
@ -7509,6 +7558,11 @@ activate_rules()
echo $zone $type $source_hosts >> $STATEDIR/zones echo $zone $type $source_hosts >> $STATEDIR/zones
if [ -n "$DYNAMIC_ZONES" ]; then
echo "$FW $zone $chain1" >> $STATEDIR/chains
echo "$zone $FW $chain2" >> $STATEDIR/chains
fi
need_broadcast= need_broadcast=
for host in $source_hosts; do for host in $source_hosts; do
@ -7558,6 +7612,8 @@ activate_rules()
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
[ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains
if [ $zone = $zone1 ]; then if [ $zone = $zone1 ]; then
# #
# Try not to generate superfluous intra-zone rules # Try not to generate superfluous intra-zone rules
@ -8438,12 +8494,126 @@ __EOF__
} }
#
# Determine the value for a parameter that defaults to Yes
#
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo "Yes"
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Determine the value for a parameter that defaults to No
#
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo ""
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
# #
# Initialize this program # Initialize this program
# #
do_initialize() { do_initialize() {
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
export LC_ALL=C
# Make sure umask is sane
umask 077
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
#
# Establish termination function
#
TERMINATOR=fatal_error TERMINATOR=fatal_error
#
# Clear all configuration variables
#
VERSION=
IPTABLES=
FW=
SUBSYSLOCK=
ALLOWRELATED=Yes
LOGRATE=
LOGBURST=
LOGPARMS=
LOGLIMIT=
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
TC_ENABLED=
BLACKLIST_DISPOSITION=
BLACKLIST_LOGLEVEL=
CLAMPMSS=
ROUTE_FILTER=
LOG_MARTIANS=
DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT=
FORWARDPING=
MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN=
FUNCTIONS=
VERSION_FILE=
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
MODULE_SUFFIX=
ACTIONS=
USEDACTIONS=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
BRIDGING=
DYNAMIC_ZONES=
PKTTYPE=
USEPKTYPE=
RETAIN_ALIASES=
DELAYBLACKLISTLOAD=
LOGTAGONLY=
LOGALLNEW=
RFC1918_STRICT=
MACLIST_TTL=
SAVE_IPSETS=
RESTOREFILE=
MAPOLDACTIONS=
IMPLICIT_CONTINUE=
HIGH_ROUTE_MARKS=
OUTPUT= OUTPUT=
TMP_DIR= TMP_DIR=
@ -8452,6 +8622,7 @@ do_initialize() {
IPSECMARK=256 IPSECMARK=256
PROVIDERS= PROVIDERS=
CRITICALHOSTS= CRITICALHOSTS=
IPSECFILE=
EXCLUSION_SEQ=1 EXCLUSION_SEQ=1
STOPPING= STOPPING=
HAVE_MUTEX= HAVE_MUTEX=
@ -8459,8 +8630,6 @@ do_initialize() {
SECTION=ESTABLISHED SECTION=ESTABLISHED
SECTIONS= SECTIONS=
ALL_PORTS= ALL_PORTS=
ACTIONS=
USEDACTIONS=
SHAREDIR=/usr/share/shorewall SHAREDIR=/usr/share/shorewall
VARDIR=/var/lib/shorewall VARDIR=/var/lib/shorewall
@ -8484,11 +8653,236 @@ do_initialize() {
trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9 trap "[ -n "$OUTPUT" ] && rm -f $OUTPUT;rm -rf $TMP_DIR; exit 2" 1 2 3 4 5 6 9
ensure_config_path
VERSION_FILE=$SHAREDIR/version
[ -f $VERSION_FILE ] && VERSION=$(cat $VERSION_FILE)
run_user_exit params
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
progress_message "Processing $config..."
. $config
else
fatal_error "Cannot read $config (Hint: Are you root?)"
fi
else
fatal_error "$config does not exist!"
fi
#
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#
ensure_config_path
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules here to accurately determine
# capabilities when module autoloading isn't enabled.
#
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
load_kernel_modules
if [ -z "$IPTABLES" ]; then
IPTABLES=$(mywhich iptables 2> /dev/null)
[ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
determine_capabilities
else
f=$(find_file capabilities)
[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
fi
ALLOWRELATED="$(added_param_value_yes ALLOWRELATED $ALLOWRELATED)"
[ -n "$ALLOWRELATED" ] || \
fatal_error "ALLOWRELATED=No is not supported"
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
fi
if [ -n "$IP_FORWARDING" ]; then
case "$IP_FORWARDING" in
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
;;
*)
fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
;;
esac
else
IP_FORWARDING=On
fi
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
[ -n "$FORWARDPING" ] && \
fatal_error "FORWARDPING=Yes is no longer supported"
maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
;;
DROP)
maclist_target=DROP
;;
ACCEPT)
maclist_target=RETURN
;;
*)
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
;;
esac
else
MACLIST_DISPOSITION=REJECT
fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
if [ -n "$LOGFORMAT" ]; then
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
LOGRULENUMBERS=Yes
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
else
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
fi
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
else
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
[ -n "$DYNAMIC_ZONES" -a -n "$EXPORT" ] && fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option"
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK=
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
case ${IPSECFILE:=ipsec} in
ipsec|zones)
;;
*)
fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
;;
esac
case ${MACLIST_TABLE:=filter} in
filter)
;;
mangle)
[ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
;; *)
fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
;;
esac
TC_SCRIPT=
if [ -n "$TC_ENABLED" ] ; then
case "$TC_ENABLED" in
[Yy][Ee][Ss])
TC_ENABLED=
TC_SCRIPT=$(find_file tcstart)
[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
;;
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
TC_ENABLED=Yes
;;
[Nn][Oo])
TC_ENABLED=
;;
esac
else
TC_ENABLED=Yes
fi
if [ -n "$TC_ENABLED" ];then
[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
# #
# Strip the files that we use often # Strip the files that we use often
# #
strip_file interfaces strip_file interfaces
strip_file hosts strip_file hosts
#
# Check out the user's shell
#
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
temp=$(decodeaddr 192.168.1.1)
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
if [ -z "$KLUDGEFREE" ]; then if [ -z "$KLUDGEFREE" ]; then
rm -f $TMP_DIR/physdev rm -f $TMP_DIR/physdev
@ -8512,12 +8906,14 @@ usage() {
# #
# Start trace if first arg is "debug" # Start trace if first arg is "debug"
# #
[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; env >&2; } [ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; }
NOLOCK= NOLOCK=
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; } [ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
trap "exit 2" 1 2 3 4 5 6 9
COMMAND="$1" COMMAND="$1"
case "$COMMAND" in case "$COMMAND" in

541
Shorewall/firewall
View File

@ -383,6 +383,31 @@ macrecent_target() # $1 - interface
[ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
} }
#
# Functions for creating dynamic zone rules
#
dynamic_fwd() # $1 = interface
{
echo $(chain_base $1)_dynf
}
dynamic_in() # $1 = interface
{
echo $(chain_base $1)_dyni
}
dynamic_out() # $1 = interface
{
echo $(chain_base $1)_dyno
}
dynamic_chains() #$1 = interface
{
local c=$(chain_base $1)
echo ${c}_dyni ${c}_dynf ${c}_dyno
}
# #
# DNAT Chain from a zone # DNAT Chain from a zone
# #
@ -1300,6 +1325,95 @@ clear_firewall() {
logger "Shorewall Cleared" logger "Shorewall Cleared"
} }
#
# Process the ipsec information in the zones file
#
setup_ipsec() {
local zone using_ipsec=
do_options() # $1 = _in, _out or "" - $2 = option list
{
local option opts newoptions= val
[ x${2} = x- ] && return
opts=$(separate_list $2)
for option in $opts; do
val=${option#*=}
case $option in
mss=[0-9]*) ;;
strict) newoptions="$newoptions --strict" ;;
next) newoptions="$newoptions --next" ;;
reqid=*) newoptions="$newoptions --reqid $val" ;;
spi=*) newoptions="$newoptions --spi $val" ;;
proto=*) newoptions="$newoptions --proto $val" ;;
mode=*) newoptions="$newoptions --mode $val" ;;
tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;;
tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;;
reqid!=*) newoptions="$newoptions ! --reqid $val" ;;
spi!=*) newoptions="$newoptions ! --spi $val" ;;
proto!=*) newoptions="$newoptions ! --proto $val" ;;
mode!=*) newoptions="$newoptions ! --mode $val" ;;
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;;
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;;
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
esac
done
if [ -n "$newoptions" ]; then
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_complex=Yes
eval ${zone}_ipsec${1}_options=\"${newoptions# }\"
fi
}
case $IPSECFILE in
zones)
f=zones
progress_message "Setting up IPSEC..."
;;
*)
f=$IPSECFILE
strip_file $f
progress_message "Processing $f..."
using_ipsec=Yes
;;
esac
while read zone type options in_options out_options mss; do
expandv zone type options in_options out_options mss
if [ -n "$using_ipsec" ]; then
validate_zone1 $zone || fatal_error "Unknown zone: $zone"
fi
if [ -n "$type" ]; then
if [ -n "$using_ipsec" ]; then
case $type in
No|no)
;;
Yes|yes)
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
eval ${zone}_is_ipsec=Yes
eval ${zone}_is_complex=Yes
eval ${zone}_type=ipsec4
;;
*)
fatal_error "Invalid IPSEC column contents"
;;
esac
fi
do_options "" $options
do_options "_in" $in_options
do_options "_out" $out_options
fi
done < $TMP_DIR/$f
}
# #
# Delete existing Proxy ARP # Delete existing Proxy ARP
# #
@ -1369,6 +1483,34 @@ delete_nat() {
[ -d $STATEDIR ] && touch $STATEDIR/nat [ -d $STATEDIR ] && touch $STATEDIR/nat
} }
#
# Setup Network Mapping (NETMAP)
#
setup_netmap() {
while read type net1 interface net2 ; do
expandv type net1 interface net2
list_search $interface $ALL_INTERFACES || \
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
case $type in
DNAT)
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
;;
SNAT)
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
;;
*)
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
;;
esac
progress_message " Network $net1 on $interface mapped to $net2 ($type)"
done < $TMP_DIR/netmap
}
# #
# Setup ECN disabling rules # Setup ECN disabling rules
# #
@ -1693,6 +1835,368 @@ refresh_firewall()
rm -rf $TMP_DIR rm -rf $TMP_DIR
} }
#
# Add a host or networks to a zone
#
add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
{
local interface host zone z h z1 z2 chain
local dhcp_interfaces blacklist_interfaces maclist_interfaces
local tcpflags_interfaces newhostlist=
local rulenum source_chain dest_hosts iface hosts hostlist=
nat_chain_exists() # $1 = chain name
{
qt $IPTABLES -t nat -L $1 -n
}
do_iptables() # $@ = command
{
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! $IPTABLES $@ ; then
error_message "ERROR: Can't add $newhost to zone $zone"
fi
}
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
f=$(find_file $IPSECFILE)
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
#
# Check for duplicates and create a new zone state file
#
> ${VARDIR}/zones_$$
while read z type hosts; do
if [ "$z" = "$zone" ]; then
for h in $hostlist; do
list_search $h $hosts
if [ "$?" -gt 0 ]; then
newhostlist="$newhostlist $h"
else
error_message "$h already in zone $zone"
fi
done
[ -z "$hosts" ] && hosts=$newhostlist || hosts="$hosts $newhostlist"
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $type $hosts" >> ${VARDIR}/zones_$$
done < ${VARDIR}/zones
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
TERMINATOR=fatal_error
#
# Create a new Zone state file
#
for newhost in $newhostlist; do
#
# Isolate interface and host parts
#
interface=${newhost%%:*}
host=${newhost#*:}
#
# If the zone passed in the command has a dnat chain then insert a rule in
# the nat table PREROUTING chain to jump to that chain when the source
# matches the new host(s)#
#
chain=${zone}_dnat
if nat_chain_exists $chain; then
do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain
fi
#
# Insert new rules into the filter table for the passed interface
#
while read z1 z2 chain; do
[ "$z1" = "$z2" ] && op="-I" || op="-A"
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $newhost ; then
do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
for h in $dest_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
#
# Add a rule to the dynamic out chain for the interface
#
do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
else
do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
fi
fi
done
fi
fi
done < ${VARDIR}/chains
progress_message "$newhost added to zone $zone"
done
rm -rf $TMP_DIR
}
#
# Delete a host or networks from a zone
#
delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
{
local interface host zone z h z1 z2 chain delhost
local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces
local rulenum source_chain dest_hosts iface hosts hostlist=
#
# Load $zones
#
determine_zones
#
# Validate Interfaces File
#
validate_interfaces_file
#
# Validate Hosts File
#
validate_hosts_file
#
# Validate IPSec File
#
f=$(find_file ipsec)
[ -f $f ] && setup_ipsec $f
#
# Normalize host list
#
while [ $# -gt 1 ]; do
interface=${1%%:*}
host=${1#*:}
#
# Be sure that the interface was dynamic at last [re]start
#
if ! chain_exists $(input_chain $interface) ; then
startup_error "Unknown interface $interface"
fi
if ! chain_exists $(dynamic_in $interface) ; then
startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf"
fi
if [ -z "$host" ]; then
hostlist="$hostlist $interface:0.0.0.0/0"
else
for h in $(separate_list $host); do
hostlist="$hostlist $interface:$h"
done
fi
shift
done
#
# Validate Zone
#
zone=$1
validate_zone $zone || startup_error "Unknown zone: $zone"
[ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone"
#
# Be sure that Shorewall has been restarted using a DZ-aware version of the code
#
[ -f ${VARDIR}/chains ] || startup_error "${VARDIR}/chains -- file not found"
[ -f ${VARDIR}/zones ] || startup_error "${VARDIR}/zones -- file not found"
#
# Delete the passed hosts from the zone state file
#
> ${VARDIR}/zones_$$
while read z hosts; do
if [ "$z" = "$zone" ]; then
temp=$hosts
hosts=
for host in $hostlist; do
found=
for h in $temp; do
if [ "$h" = "$host" ]; then
found=Yes
break
fi
done
[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
done
for h in $temp; do
found=
for host in $hostlist; do
if [ "$h" = "$host" ]; then
found=Yes
break
fi
done
[ -n "$found" ] || hosts="$hosts $h"
done
fi
eval ${z}_hosts=\"$hosts\"
echo "$z $hosts" >> ${VARDIR}/zones_$$
done < ${VARDIR}/zones
mv -f ${VARDIR}/zones_$$ ${VARDIR}/zones
TERMINATOR=fatal_error
for delhost in $hostlist; do
interface=${delhost%%:*}
host=${delhost#*:}
#
# Delete any nat table entries for the host(s)
#
qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat
#
# Delete rules rules the input chains for the passed interface
#
while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then
qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain
else
source_chain=$(dynamic_fwd $interface)
if is_ipsec_host $z1 $delhost ; then
qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
else
eval dest_hosts=\"\$${z2}_hosts\"
[ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist"
for h in $dest_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
fi
done
fi
fi
elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then
qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
if is_ipsec_host $z1 $h; then
qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
else
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain
fi
fi
done
fi
fi
done < ${VARDIR}/chains
progress_message "$delhost removed from zone $zone"
done
rm -rf $TMP_DIR
}
# #
# Determine the value for a parameter that defaults to Yes # Determine the value for a parameter that defaults to Yes
# #
@ -1799,6 +2303,7 @@ do_initialize() {
SMURF_LOG_LEVEL= SMURF_LOG_LEVEL=
DISABLE_IPV6= DISABLE_IPV6=
BRIDGING= BRIDGING=
DYNAMIC_ZONES=
PKTTYPE= PKTTYPE=
USEPKTYPE= USEPKTYPE=
RETAIN_ALIASES= RETAIN_ALIASES=
@ -2002,6 +2507,7 @@ do_initialize() {
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY) BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6) DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING) BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES= [ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
@ -2012,6 +2518,11 @@ do_initialize() {
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS) MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK=
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && startup_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
case ${IPSECFILE:=ipsec} in case ${IPSECFILE:=ipsec} in
ipsec|zones) ipsec|zones)
@ -2162,6 +2673,36 @@ case "$COMMAND" in
my_mutex_off my_mutex_off
;; ;;
add)
[ $# -lt 3 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
shift
add_to_zone $@
my_mutex_off
;;
delete)
[ $# -lt 3 ] && usage
do_initialize
my_mutex_on
if ! shorewall_is_started ; then
echo "Shorewall Not Started"
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
my_mutex_off
exit 2;
fi
shift
delete_from_zone $@
my_mutex_off
;;
call) call)
# #
# Undocumented way to call functions in ${SHAREDIR}/firewall directly # Undocumented way to call functions in ${SHAREDIR}/firewall directly

44
Shorewall/help
View File

@ -28,6 +28,28 @@
case $1 in case $1 in
add)
echo "add: add <interface>[:<host-list>] ... <zone>
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
shorewall add interface:host-list ... zone - Adds the specified interface
(and host-list if included) to the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1.
See also \"help host\""
;;
address|host) address|host)
echo "<$1>: echo "<$1>:
May be either a host IP address such as 192.168.1.4 or a network address in May be either a host IP address such as 192.168.1.4 or a network address in
@ -100,6 +122,28 @@ debug)
The word 'trace' is a synonym for 'debug'." The word 'trace' is a synonym for 'debug'."
;; ;;
delete)
echo "delete: delete <interface>[:<host-list>] ... <zone>
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
shorewall delete interface[:host-list] ... zone - Deletes the specified
interfaces (and host list if included) from the specified zone.
A host-list is a comma-separated list whose elements are:
A host or network address
The name of a bridge port
The name of a bridge port followed by a colon (":") and a host or
network address.
Example:
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
192.0.2.24 from interface ipsec0 from zone vpn1
See also \"help host\""
;;
drop) drop)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored Causes packets from the specified <address> to be ignored

564
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.3.0 Shorewall 3.2.1
Note to users upgrading from Shorewall 2.x or 3.0 Note to users upgrading from Shorewall 2.x or 3.0
@ -31,17 +31,561 @@ Note to users upgrading from Shorewall 2.x or 3.0
Please see the "Migration Considerations" below for additional upgrade Please see the "Migration Considerations" below for additional upgrade
information. information.
Problems corrected in 3.3.0 Problems Corrected in 3.2.1
None. None.
Migration Issues. Other changes in 3.2.1
1) Support for dynamic zones has been removed from Shorewall
(/sbin/shorewall add and delete commands). Use ipsets to define
your dynamic zones as described at
http://www.shorewall.net/DynamicZones.html.
New Features.
None. None.
Migration Considerations:
1) If you are upgrading from Shorewall 2.x, it is essential that you read
the Shorewall 3.0.8 (or later) release notes:
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.8/releasenotes.txt
2) A number of macros have been split into two. The macros affected are:
IMAP LDAP NNTP POP3 SMTP
Each of these macros now handles only traffic on the native (plaintext)
port. There is a corresponding macro with S added to the end of the
name for the SSL version of the same protocol. Thus each macro results
in the insertion of only one port per invocation.
The Web macro has not been split, but two new macros, HTTP and HTTPS have
been created. The Web macro is deprecated in favour of these new macros,
and may be removed from future Shorewall releases.
These changes have been made to ensure no unexpected ports are opened due
to the use of macros.
3) In previous Shorewall releases, DNAT and REDIRECT rules supported a
special syntax for exclusion of a sub-zone from the effect of the rule.
Example:
Z2 is a subzone of Z1:
DNAT Z1!Z2 loc:192.168.1.4 ...
That feature has never worked correctly when Z2 is a dynamic zone.
Furthermore, now that Shorewall supports exclusion lists, the capability
is redundant since the above rule can now be written in the form:
DNAT Z1:!<list of exclusions> loc:192.168.1.4 ...
Beginning with Shorewall 3.2.0, the special exclusion syntax will no
longer be supported.
4) Important if you use the QUEUE target.
In the /etc/shorewall/rules file and in actions, you may now specify
'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also
requires that the SYN flag is set and the RST, FIN and ACK flags be
off ("--syn" is added to the iptables rule).
As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.
5) Extension Scripts may require change
In previous releases, extension scripts were executed during [re]start
by using the Bourne Shell "." operator. In addition to executing commands
during [re]start, these scripts had to "save" the commands to be executed
during "shorewall restore".
This clumsiness has been eliminated in Shorewall 3.2. In Shorewall 3.2,
extension scripts are copied in-line into the compiled program and are
executed in-line during "start", "restart" and "restore". This
applies to all extension scripts except those associated with a
chain or action -- those extension scripts continue to be processed
at compile time.
This new approach has two implications for existing scripts.
a) It is no longer necessary to save the commands; so functions like
'save_command', 'run_and_save_command' and 'ensure_and_save_command'
need no longer be called. For convenience, the generated program will
supply functions with these names:
save_command() - does nothing
run_and_save_command() - runs the passed command
ensure_and_save_command() - runs the passed command and
stops/restores the firewall if the
command fails.
These functions should provide for transparent migration of
scripts that use them until you can get around to eliminating
their use completely.
b) When the extension script is copied into the compiled program, it
is indented to line up with the surrounding code. If you have 'awk'
installed on your system, the Shorewall compiler will correctly handle
line continuation (last character on the line = "\"). If you do not
have awk, it will not be possible to use line-continuation in your
extension scripts.
In no case is it possible to continue a quoted string over multiple lines
without having additional whitespace inserted into the string.
6) Beginning with this release, the way in which packet marking in the
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
has changed in two ways:
a) Packets arriving on a tracked interface are now passed to the PREROUTING
marking chain so that they may be marked with a mark other than the
'track' mark (the connection still retains the 'track' mark).
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
in the PREROUTING chain (i.e., you can specify a mark value of zero).
7) Kernel version 2.6.16 introduces 'xtables', a new common packet
filtering and connection tracking facility that supports both IPv4
and IPv6. Because a different set of kernel modules must be loaded
for xtables, Shorewall now includes two 'modules' files:
a) /usr/share/shorewall/modules -- the former
/etc/shorewall/modules
b) /usr/share/shorewall/xmodules -- a new file that support
xtables.
If you wish to use the new file, then simply execute this command:
cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules
New Features:
1) Shorewall has always been very noisy (lots of messages). No longer.
You set the default level of verbosity using the VERBOSITY option in
shorewall.conf. If you don't set it (as would be the case of you use your
old shorewall.conf file) then VERBOSITY defaults to a value of 2 which
results in behavior compatible with previous Shorewall versions.
A value of 1 suppresses some of the output (like the old -q option did)
while a value of 0 makes Shorewall almost silent. A value of -1
suppresses all output except warning and error messages.
The value specified in the 3.2 shorewall.conf is 1. So you can make
Shorewall as verbose as previously using a single -v and you can make it
almost silent by using a single -q.
If VERBOSITY is set at 2, you can still make a command nearly
silent by using two "q"s (e.g., shorewall -qq restart).
In summary, each "q" subtracts one from VERBOSITY while each "v" adds one
to VERBOSITY.
The "shorewall show log", "shorewall logwatch" and "shorewall dump"
commands require VERBOSITY to be greater than or equal to 3 to
display MAC addresses.This is consistent with the previous
implementation which required a single -v to enable MAC display but
means that if you set VERBOSITY=0 in shorewall.conf, then you will
need to include -vvv in commands that display log records in order
to have MACs displayed.
To make the display of MAC addresses less cumbersome, a '-m' option has
been added to the "show" and logwatch commands:
shorewall show -m log
shorewall logwatch -m
2) A new 'shorewall compile' command has been added.
shorewall compile [ -e ] [ <config directory> ] <script file>
where:
-e Allows the generated script to run
on a system with Shorewall Lite installed.
Generates an error if the configuration uses
an option that would prevent the generated
script from running on a system other than
where the 'compile' command is running (see
additional consideration a) below).
<config directory> Is an optional directory to be searched for
configuration files prior to those listed
in CONFIG_PATH in
/etc/shorewall/shorewall.conf.
<script file> Is the name of the output file.
The 'compile' command processes the configuration and generates a
script file which may then be executed (either directly or using the
'shorewall restore' command) to configure the firewall.
The generated script contains error checking and will terminate if an
important command fails. Before terminating:
a) The script will check for the existence of the restore script
specified by the RESTOREFILE variable in shorewall.conf. If that
restore script exists, it is executed.
b) If the restore script doesn't exist but Shorewall appears to be
installed on the system, the equivalent of an
"/sbin/shorewall stop" command is executed.
Some additional considerations:
a) When you run 'compile' on one system and then run the generated script
on another system under Shorewall Lite, there are certain limitations.
1) A compatible version of Shorewall Lite must be running on the remote
system. Going forward, the goal is that any minor version of
the current major version will be compatible. So if the
program is compiled using Shorewall 3.2.x, any 3.2.y version
or 3.p.q version (where p > 2) of Shorewall Lite will be compatible.
2) The 'detectnets' interface option is not allowed.
3) DYNAMIC_ZONES=Yes is not allowed.
4) You must supply the file /etc/shorewall/capabilities to provide
the compiler with knowledge of the capabilities of the system
where the script is to be run. See below.
5) If your /etc/shorewall/params file contains code other than simple
assignment statements with contant values, then you should move
that code to /etc/shorewall/init. That way, the code will be
executed on the target system when the compiled script is run and
not on the local system at compile time.
b) If you run the "shorewall compile" or "shorewall check" commands under
a user other than 'root', then you must supply
/etc/shorewall/capabilities.
c) To aid in building /etc/shorewall/capabilities, a 'shorecap' program
is provided in the Shorewall Lite package and is installed in
/usr/share/shorewall-lite/shorecap when you install Shorewall Lite.
For instructions about running shorecap, see the comments at the
top of the program file (it's a simple shell script).
The "shorewall start" and "shorewall restart" commands have been
rewritten to use compilation. They both compile a temporary program
then run it. This results in a slightly longer elapsed time than the
similar commands required under earlier versions of Shorewall but new
connections are blocked for a much smaller percentage of that time.
If an error is found during the compilation phase, /sbin/shorewall
terminates and the Shorewall state is unchanged.
Under Shorewall 3.1.5, "shorewall restart" takes roughly 16.5 seconds
on my firewall:
real 0m16.599s
user 0m6.292s
sys 0m9.885s
Of the elapsed 16.5 seconds, new connections are disabled less than
3.5 seconds. Here are some numbers for comparison:
A) shorewall restart (Shorewall 3.0.4)
real    0m17.540s
user    0m5.956s
sys     0m10.737s
B) ./foo restart # foo created using "shorewall compile"
real 0m3.297s
user 0m1.444s
sys 0m1.728s
C) shorewall restore (Shorewall 3.0.4) # Restores from file generated by
# "shorewall save"
real    0m1.164s
user    0m0.556s
sys     0m0.608s
D) shorewall restore (shorewall 3.1.5)
real 0m1.637s
user 0m0.728s
sys 0m0.584s
The time difference between B and C reflects the difference between
"iptables-restore" and multiple executions of "iptables". The time
difference between C and D results from the fact that the "restore"
command in Shorewall 3.1 runs the compiled program in a way that
turns all iptables commands into no-ops then invokes
iptables-restore. The system is a 1.4Ghz Celeron with 512MB RAM.
As a final part of this change, the "check" command now compiles the
current configuration and writes the compiled output to /dev/null. So
"check" performs all of the same validation that compile does. Note that
there is still no guarantee that the generated script won't encounter
run-time errors.
2) The /etc/shorewall/maclist file has a new column layout. The first column
is now DISPOSITION. This column determines what to do with matching
packets and can have the value ACCEPT or DROP (if MACLIST_TABLE=filter, it
can also contain REJECT). This change is upward compatible so your existing
maclist file can still be used.
ACCEPT, DROP and REJECT may be optionally followed by a log level to
cause the packet to be logged.
4) In macro files, you can now use the reserved words SOURCE and DEST
in the columns of the same names. When Shorewall expands the
macro, it will substitute the SOURCE from the macro invocation for
SOURCE and the DEST from the invocation for DEST. This allows you
to write macros that act in both directions (from source to destination
and from destination to source).
Example:
macro.FOO:
PARAM SOURCE DEST udp 500
PARAM DEST SOURCE udp 500
/etc/shorewall/rules:
FOO/ACCEPT fw net
Resulting rules:
ACCEPT fw net udp 500
ACCEPT net fw udp 500
This new feature has been used to implement the SMBBI macro.
SMBBI is the same as the SMB macro with the exception that
it passes SMB traffic in both directions whereas SMB only
passes that traffic in one direction.
5) In the /etc/shorewall/rules file and in actions, you may now specify
'tcp:syn' in the PROTO column. 'tcp:syn' is equivalent to 'tcp' but also
requires that the SYN flag is set and the RST, FIN and ACK flags be
off ("--syn" is added to the iptables rule).
As part of this change, Shorewall no longer adds the "--syn" option
to TCP rules that specify QUEUE as their target.
6) /sbin/shorewall now supports a "-t" option that causes all progress
messages to be timestamped.
Example (VERBOSITY=0 in shorewall.conf):
gateway:/etc/shorewall # shorewall -t restart
07:08:51 Compiling...
07:09:05 Shorewall configuration compiled to /var/lib/shorewall/.restart
07:09:05 Restarting Shorewall....
07:09:08 done.
gateway:/etc/shorewall #
7) A 'refreshed' extension script has been added -- it is executed after
"shorewall refresh" has finished.
8) Two new dynamic blacklisting commands have been added:
logdrop -- like 'drop' but causes the dropped packets to be logged.
logreject -- like 'reject' but causes the rejected packets to be
logged.
Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
last "shorewall [re]start"; otherwise, they are logged at the 'info'
log level.
9) A new IMPLICIT_CONTINUE option has been added to shorewall.conf. When
this option is set to "Yes", it causes subzones to be treated differently
with respect to policies.
Subzones are defined by following their name with ":" and a list of parent
zones (in /etc/shorewall/zones). Normally, you want to have a set of
special rules for the subzone and if a connection doesn't match any of
those subzone-specific rules then you want the parent zone rules and
policies to be applied. With IMPLICIT_CONTINUE=Yes, that happens
automatically.
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
subzones are not subject to this special treatment.
With IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
by including an explicit policy (one that does not specify "all" in either
the SOURCE or the DEST columns).
Example:
/etc/shorewall/zones:
prnt ipv4
chld:prnt ipv4
Traffic to/from the 'chld' zone will first pass through the applicable
'chld' rules and if none of those rules match then it will be passed through
the appropriate 'prnt' rules. If the connection request does not match
any of the 'prnt' rules then the relevant 'prnt' policy is applied.
If you want the fw->chld policy to be ACCEPT, simply add this entry to
/etc/shorewall/policy:
$FW chld ACCEPT
Traffic from all other zones to 'chld' will be subject to the implicit
CONTINUE policy.
10) Shorewall now includes support for explicit routing rules when the
/etc/shorewall/providers file is used. A new file,
/etc/shorewall/route_rules can be used to add routing rules based on
packet source and/or destination.
The file has the following columns:
SOURCE(optonal) An ip address (network or host) that
matches the source IP address in a packet.
May also be specified as an interface
name optionally followed by ":" and an
address. If the define 'lo' is specified,
the packet must originate from the firewall
itself.
DEST(optional) An ip address (network or host) that
matches the destination IP address in a packet.
If you choose to omit either SOURCE or DEST,
place "-" in the column. Note that you
may not omit both SOURCE and DEST.
PROVIDER The provider to route the traffic through.
May be expressed either as the provider name
or the provider number. You may also specify
the 'main' routing table here, either by
name or by number (254).
PRIORITY
The rule's priority which determines the order
in which the rules are processed.
1000-1999 Before Shorewall-generated
'MARK' rules
11000- 11999 After 'MARK' rules but before
Shorewall-generated rules for
provider interfaces.
26000-26999 After provider interface rules but
before 'default' rule.
Rules with equal priority are applied in
the order in which they appear in the file.
Example 1: You want all traffic coming in on eth1 to be routed to the ISP1
provider:
#PROVIDER PRIORITY SOURCE DEST
ISP1 1000 eth1
Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple
providers. In this case you have to set up a rule to ensure that
the OpenVPN traffic is routed back through the tunX interface(s)
rather than through any of the providers. 10.8.0.0/24 is the
subnet choosen in your OpenVPN configuration (server 10.8.0.0
255.255.255.0)
#SOURCE DEST PROVIDER PRIORITY
- 10.8.0.0/24 main 1000
11) Prior to now, it has not been possible to use connection marking in
/etc/shorewall/tcrules if you have a multi-ISP configuration that uses the
'track' option.
Beginning with this release, you may now set HIGH_ROUTE_MARKS=Yes in
shorewall.conf to effectively divide the packet mark and connection mark
into two 8-bit mark fields.
When you do this:
a) The MARK field in the providers file must have a value that is
less than 65536 and that is a multiple of 256 (using hex
representation, the values are 0x0100-0xFF00 with the low-order
8 bits being zero).
b) You may only set those mark values in the PREROUTING chain.
c) Marks used for traffic shaping must still be in the range of 1-255
and may still not be set in the PREROUTING chain.
d) When you SAVE or RESTORE in tcrules, only the TC mark value is
saved or restored. Shorewall handles saving and restoring the
routing (provider) marks.
12) A TOS column has been added to /etc/shorewall/tcrules. This allows marking
based on the contents of the TOS field in the packet header.
13) Beginning with this release, the way in which packet marking in the
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
has changed in two ways:
a) Packets *arriving* on a tracked interface are now passed to the PREROUTING
marking chain so that they may be marked with a mark other than the
'track' mark (the connection still retains the 'track' mark).
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
in the PREROUTING chain (i.e., you can specify a mark value of zero).
14) Shorewall will now attempt to detect the MTU of devices listed in
/etc/shorewall/tcdevices and will use the detected MTU in setting
up traffic shaping.
15) In /etc/shorewall/rules, the values "all-" and "all+-" may now be
used for zone names. "all-" means "All zones except the firewall";
"all+-" means "All zones except the firewall" and intra-zone
traffic is included.
16) Kernel version 2.6.16 introduces 'xtables', a new common packet
filtering and connection tracking facility that supports both IPv4
and IPv6. Because a different set of kernel modules must be loaded
for xtables, Shorewall now includes two 'modules' files:
a) /usr/share/shorewall/modules -- the former
/etc/shorewall/modules
b) /usr/share/shorewall/xmodules -- a new file that support
xtables.
If you wish to use the new file, then simply execute this command:
cp -f /usr/share/shorewall/xmodules /etc/shorewall/modules
17) Shorewall now checks to see if devices in /etc/shorewall/tcdevices
exist. If a device does not exist, a warning message is issued and
that device's entries in /etc/shorewall/tcclasses are ignored. This
applies to "shorewall start", "shorewall restart" and "shorewall
refresh".
18) "load" and "reload" commands have been added. These commands allow
a non-root user with ssh access to a remote system running
Shorewall Lite to compile a firewall script on the local system and
to install that script on the remote system.
Syntax is:
shorewall [re]load [ <directory> ] <system>
If <directory> is omitted, the current working directory is
assumed.
The command is equivalent to:
/sbin/shorewall compile -e <directory> firewall &&\
scp firewall root@<system>:/var/lib/shorewall-lite/ &&\
ssh root@<system> '/sbin/shorewall-lite [re]start' # Note 1
In other words, the configuration in the specified (or defaulted)
directory is compiled to a file called firewall in that
directory. If compilation succeeds, then 'firewall' is copied to the
(usually remote) <system> using scp. If the copy succeeds,
Shorewall Lite on <system> is started or restarted via ssh (
load causes Shorewall Lite to be started and 'reload' causes
Shorewall Lite to be re-started)
Note 1: In Shorewall Lite 3.2.0 RC4, the 'firewall' script has moved
from /usr/share/shorewall-lite/ to /var/lib/shorewall-lite in
packages from shorewall.net. The package maintainers for the
various distributions are free to choose the directory where the
script will be stored under their distribution by altering the
value of LITEDIR in /usr/share/shorewall/configpath. You can run the
"shorewall show config" command to see how your distribution
defines LITEDIR.

522
Shorewall/shorewall
View File

@ -31,6 +31,8 @@
# #
# Commands are: # Commands are:
# #
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall dump Dumps all Shorewall-related information # shorewall dump Dumps all Shorewall-related information
# for problem analysis # for problem analysis
# shorewall start Starts the firewall # shorewall start Starts the firewall
@ -283,464 +285,6 @@ get_config() {
} }
#
# Determine the value for a parameter that defaults to Yes
#
added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo "Yes"
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Determine the value for a parameter that defaults to No
#
added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
{
local val="$2"
if [ -z "$val" ]; then
echo ""
else case $val in
[Yy][Ee][Ss])
echo "Yes"
;;
[Nn][Oo])
echo ""
;;
*)
fatal_error "Invalid value ($val) for $1"
;;
esac
fi
}
#
# Process the shell-style configuration files that set variables needed by the compiler
# To allow the compiler to be rewritten in a language other than Bourne Shell, we need
# to pass all of those setting to the compiler in environmental variables
#
do_initialize() {
#
# Generate a sequence of 'export' commands corresponding to the variables set in
# the user's params file.
#
export_params() {
f=$(find_file params)
if [ -f $f ]; then
read_file $f 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' | while read line; do
case $line in
*=*)
echo export ${line%=*}
;;
esac
done
fi
}
# Run all utility programs using the C locale
#
# Thanks to Vincent Planchenault for this tip #
export LC_ALL=C
# Make sure umask is sane
umask 077
#
# Establish termination function
#
TERMINATOR=fatal_error
#
# Clear all configuration variables
#
IPTABLES=
FW=
SUBSYSLOCK=
LOGRATE=
LOGBURST=
LOGPARMS=
LOGLIMIT=
ADD_IP_ALIASES=
ADD_SNAT_ALIASES=
TC_ENABLED=
BLACKLIST_DISPOSITION=
BLACKLIST_LOGLEVEL=
CLAMPMSS=
ROUTE_FILTER=
LOG_MARTIANS=
DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT=
FORWARDPING=
MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN=
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
MODULE_SUFFIX=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
BRIDGING=
PKTTYPE=
RETAIN_ALIASES=
DELAYBLACKLISTLOAD=
LOGTAGONLY=
LOGALLNEW=
RFC1918_STRICT=
MACLIST_TTL=
SAVE_IPSETS=
RESTOREFILE=
MAPOLDACTIONS=
IMPLICIT_CONTINUE=
HIGH_ROUTE_MARKS=
IPSECFILE=
CLEAR_TC=
FASTACCEPT=
run_user_exit params
config=$(find_file shorewall.conf)
if [ -f $config ]; then
if [ -r $config ]; then
progress_message "Processing $config..."
. $config
else
fatal_error "Cannot read $config (Hint: Are you root?)"
fi
else
fatal_error "$config does not exist!"
fi
#
# Restore CONFIG_PATH if the shorewall.conf file cleared it
#
ensure_config_path
#
# Determine the capabilities of the installed iptables/netfilter
# We load the kernel modules here to accurately determine
# capabilities when module autoloading isn't enabled.
#
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
if [ -z "$EXPORT" -a "$(whoami)" = root ]; then
load_kernel_modules
if [ -z "$IPTABLES" ]; then
IPTABLES=$(mywhich iptables 2> /dev/null)
[ -z "$IPTABLES" ] && fatal_error "Can't find iptables executable"
else
[ -e "$IPTABLES" ] || fatal_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
fi
determine_capabilities
else
f=$(find_file capabilities)
[ -f $f ] && . $f || fatal_error "The -e flag requires a capabilities file"
fi
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
if [ -n "${LOGRATE}${LOGBURST}" ]; then
LOGLIMIT="--match limit"
[ -n "$LOGRATE" ] && LOGLIMIT="$LOGLIMIT --limit $LOGRATE"
[ -n "$LOGBURST" ] && LOGLIMIT="$LOGLIMIT --limit-burst $LOGBURST"
fi
if [ -n "$IP_FORWARDING" ]; then
case "$IP_FORWARDING" in
[Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp])
;;
*)
fatal_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING"
;;
esac
else
IP_FORWARDING=On
fi
[ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
maclist_target=reject
if [ -n "$MACLIST_DISPOSITION" ] ; then
case $MACLIST_DISPOSITION in
REJECT)
;;
DROP)
maclist_target=DROP
;;
ACCEPT)
maclist_target=RETURN
;;
*)
fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
;;
esac
else
MACLIST_DISPOSITION=REJECT
fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
fatal_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
[ -n "${RFC1918_LOG_LEVEL:=info}" ]
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
[ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
if [ -n "$LOGFORMAT" ]; then
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
LOGRULENUMBERS=Yes
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
else
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi
fi
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
else
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
[ -n "${ADD_IP_ALIASES}${ADD_SNAT_ALIASES}" ] || RETAIN_ALIASES=
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK=
[ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
case ${IPSECFILE:=ipsec} in
ipsec|zones)
;;
*)
fatal_error "Invalid value ($IPSECFILE) for IPSECFILE option"
;;
esac
case ${MACLIST_TABLE:=filter} in
filter)
;;
mangle)
[ $MACLIST_DISPOSITION = reject ] && fatal_error "MACLIST_DISPOSITION=REJECT is not allowed with MACLIST_TABLE=mangle"
;; *)
fatal_error "Invalid value ($MACLIST_TABLE) for MACLIST_TABLE option"
;;
esac
TC_SCRIPT=
if [ -n "$TC_ENABLED" ] ; then
case "$TC_ENABLED" in
[Yy][Ee][Ss])
TC_ENABLED=
TC_SCRIPT=$(find_file tcstart)
[ -f $TC_SCRIPT ] || fatal_error "Unable to find tcstart file"
;;
[Ii][Nn][Tt][Ee][Rr][Nn][Aa][Ll])
TC_ENABLED=Yes
;;
[Nn][Oo])
TC_ENABLED=
;;
esac
else
TC_ENABLED=Yes
fi
if [ -n "$TC_ENABLED" ];then
[ -n "$MANGLE_ENABLED" ] || fatal_error "Traffic Shaping requires mangle support in your kernel and iptables"
fi
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
#
# Check out the user's shell
#
[ -n "${SHOREWALL_SHELL:=/bin/sh}" ]
temp=$(decodeaddr 192.168.1.1)
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
#
# Export variables set in shorewall.conf
#
# Logging
export LOGFORMAT
export LOGTAGONLY
export LOGRATE
export LOGBURST
export LOGALLNEW
export BLACKLIST_LOGLEVEL
export MACLIST_LOG_LEVEL
export TCP_FLAGS_LOG_LEVEL
export RFC1918_LOG_LEVEL
export SMURF_LOG_LEVEL
export LOG_MARTIANS
# Files and directories
export IPTABLES
export SHOREWALL_SHELL
export SUBSYSLOCK
export MODULESDIR
export CONFIG_PATH
export RESTOREFILE
export IPSECFILE
# Firewall options
export FW
export IP_FORWARDING
export ADD_IP_ALIASES
export ADD_SNAT_ALIASES
export RETAIN_ALIASES
export TC_ENABLED
export CLEAR_TC
export MARK_IN_FORWARD_CHAIN
export CLAMPMSS
export ROUTE_FILTER
export DETECT_DNAT_IPADDRS
export MUTEX_TIMEOUT
export ADMINISABSENTMINDED
export BLACKLISTNEWONLY
export DELAYBLACKLISTLOAD
export MODULE_SUFFIX
export DISABLE_IPV6
export BRIDGING
export PKTTYPE
export RFC1918_STRICT
export MACLIST_TABLE
export MACLIST_TTL
export SAVE_IPSETS
export MAPOLDACTIONS
export FASTACCEPT
export IMPLICIT_CONTINUE
export HIGH_ROUTE_MARKS
# Packet Disposition
export BLACKLIST_DISPOSITION
export MACLIST_DISPOSITION
export TCP_FLAGS_DISPOSITION
# Generated values
export LOGPARMS
export LOGLIMIT
export LOGRULENUMBERS
export VERSION
#
# Export capabilities
#
export NAT_ENABLED
export MANGLE_ENABLED
export CONNTRACK_MATCH
export MULTIPORT
export XMULTIPORT
export POLICY_MATCH
export PHYSDEV_MATCH
export IPRANGE_MATCH
export RECENT_MATCH
export OWNER_MATCH
export IPSET_MATCH
export CONNMARK
export XCONNMARK
export CONNMARK_MATCH
export XCONNMARK_MATCH
export RAW_TABLE
export IPP2P_MATCH
export LENGTH_MATCH
export CLASSIFY_TARGET
export ENHANCED_REJECT
export USEPKTTYPE
export KLUDGEFREE
export MARK
export XMARK
export MANGLE_FORWARD
#
# Export user's params
#
$(export_params)
}
#
# Give Usage Information
#
usage() {
echo "Usage: $0 [debug] check|compile <filename>}"
exit 1
}
# #
# Clear descriptor 1 if it is a terminal # Clear descriptor 1 if it is a terminal
# #
@ -928,7 +472,7 @@ save_config() {
f=${VARDIR}/restore-$$ f=${VARDIR}/restore-$$
echo "#!/bin/sh" > $f echo "#!/bin/sh" > $f
echo "#This ipset restore file generated $(date) by Shorewall $VERSION" >> $f echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
echo >> $f echo >> $f
echo ". ${SHAREDIR}/functions" >> $f echo ". ${SHAREDIR}/functions" >> $f
echo >> $f echo >> $f
@ -976,17 +520,15 @@ save_config() {
# Start Command Executor # Start Command Executor
# #
start_command() { start_command() {
local finished=0 shell=$SHOREWALL_SHELL local finished=0
do_it() { do_it() {
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
progress_message3 "Compiling..." progress_message3 "Compiling..."
do_initialize if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
${VARDIR}/.start $debugging start
if $shell ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.start; then
$SHOREWALL_SHELL ${VARDIR}/.start $debugging start
fi fi
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
@ -1097,7 +639,7 @@ start_command() {
# Compile Command Executor # Compile Command Executor
# #
compile_command() { compile_command() {
local finished=0 shell=$SHOREWALL_SHELL local finished=0
while [ $finished -eq 0 ]; do while [ $finished -eq 0 ]; do
[ $# -eq 0 ] && usage 1 [ $# -eq 0 ] && usage 1
@ -1161,15 +703,13 @@ compile_command() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
do_initialize exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging compile $file
exec $shell ${SHAREDIR}/compiler $debugging compile $file
} }
# #
# Check Command Executor # Check Command Executor
# #
check_command() { check_command() {
local finished=0 shell=$SHOREWALL_SHELL local finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1 option=$1
@ -1226,16 +766,14 @@ check_command() {
progress_message3 "Checking..." progress_message3 "Checking..."
do_initialize exec $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock check
exec $shell ${SHAREDIR}/compiler $debugging $nolock check
} }
# #
# Restart Command Executor # Restart Command Executor
# #
restart_command() { restart_command() {
local finished=0 shell=$SHOREWALL_SHELL local finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1 option=$1
@ -1299,9 +837,7 @@ restart_command() {
progress_message3 "Compiling..." progress_message3 "Compiling..."
do_initialize if $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
if $shell ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart; then
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
fi fi
@ -1355,27 +891,27 @@ show_command() {
case "$1" in case "$1" in
connections) connections)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall-$VERSION Connections at $HOSTNAME - $(date)" echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
echo echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
;; ;;
nat) nat)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall-$VERSION NAT Table at $HOSTNAME - $(date)" echo "Shorewall-$version NAT Table at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
$IPTABLES -t nat -L $IPT_OPTIONS $IPTABLES -t nat -L $IPT_OPTIONS
;; ;;
tos|mangle) tos|mangle)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall-$VERSION Mangle Table at $HOSTNAME - $(date)" echo "Shorewall-$version Mangle Table at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
$IPTABLES -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
;; ;;
log) log)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall-$VERSION Log at $HOSTNAME - $(date)" echo "Shorewall-$version Log at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//') host=$(echo $HOSTNAME | sed 's/\..*$//')
@ -1383,20 +919,20 @@ show_command() {
;; ;;
tc) tc)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall-$VERSION Traffic Control at $HOSTNAME - $(date)" echo "Shorewall-$version Traffic Control at $HOSTNAME - $(date)"
echo echo
show_tc show_tc
;; ;;
classifiers) classifiers)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "Shorewall-$VERSION Clasifiers at $HOSTNAME - $(date)" echo "Shorewall-$version Clasifiers at $HOSTNAME - $(date)"
echo echo
show_classifiers show_classifiers
;; ;;
zones) zones)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
if [ -f ${VARDIR}/zones ]; then if [ -f ${VARDIR}/zones ]; then
echo "Shorewall-$VERSION Zones at $HOSTNAME - $(date)" echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
echo echo
while read zone type hosts; do while read zone type hosts; do
echo "$zone ($type)" echo "$zone ($type)"
@ -1446,7 +982,7 @@ show_command() {
echo "LITEDIR is $LITEDIR" echo "LITEDIR is $LITEDIR"
;; ;;
*) *)
echo "Shorewall-$VERSION $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)" echo "Shorewall-$version $([ $# -gt 0 ] && echo Chains || echo Chain) $* at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then
@ -1497,7 +1033,7 @@ dump_command() {
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 0 ] || usage 1 [ $# -eq 0 ] || usage 1
clear_term clear_term
echo "Shorewall-$VERSION Dump at $HOSTNAME - $(date)" echo "Shorewall-$version Dump at $HOSTNAME - $(date)"
echo echo
show_reset show_reset
host=$(echo $HOSTNAME | sed 's/\..*$//') host=$(echo $HOSTNAME | sed 's/\..*$//')
@ -1790,7 +1326,7 @@ reload_command()
# #
help() help()
{ {
[ -x $HELP ] && { export version=$VERSION; exec $HELP $*; } [ -x $HELP ] && { export version; exec $HELP $*; }
echo "Help subsystem is not installed at $HELP" echo "Help subsystem is not installed at $HELP"
} }
@ -1801,10 +1337,12 @@ usage() # $1 = exit status
{ {
echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>" echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v ] [ -t ] <command>"
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " check [ -e ] [ <directory> ]" echo " check [ -e ] [ <directory> ]"
echo " clear" echo " clear"
echo " compile [ -e ] [ <directory name> ] <path name>" echo " compile [ -e ] [ <directory name> ] <path name>"
echo " delete <interface>[:<host-list>] ... <zone>"
echo " drop <address> ..." echo " drop <address> ..."
echo " dump [ -x ]" echo " dump [ -x ]"
echo " forget [ <file name> ]" echo " forget [ <file name> ]"
@ -2066,7 +1604,7 @@ if [ ! -f $FIREWALL ]; then
fi fi
if [ -f $VERSION_FILE ]; then if [ -f $VERSION_FILE ]; then
VERSION=$(cat $VERSION_FILE) version=$(cat $VERSION_FILE)
else else
echo " ERROR: Shorewall is not properly installed" >&2 echo " ERROR: Shorewall is not properly installed" >&2
echo " The file $VERSION_FILE does not exist" >&2 echo " The file $VERSION_FILE does not exist" >&2
@ -2117,6 +1655,10 @@ case "$COMMAND" in
shift shift
check_command $@ check_command $@
;; ;;
add|delete)
[ $# -lt 3 ] && usage 1
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
;;
show|list) show|list)
shift shift
show_command $@ show_command $@
@ -2141,7 +1683,7 @@ case "$COMMAND" in
;; ;;
status) status)
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
echo "Shorewall-$VERSION Status at $HOSTNAME - $(date)" echo "Shorewall-$version Status at $HOSTNAME - $(date)"
echo echo
if shorewall_is_started ; then if shorewall_is_started ; then
echo "Shorewall is running" echo "Shorewall is running"
@ -2173,7 +1715,7 @@ case "$COMMAND" in
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
clear_term clear_term
echo "Shorewall-$VERSION Hits at $HOSTNAME - $(date)" echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
echo echo
timeout=30 timeout=30
@ -2213,7 +1755,7 @@ case "$COMMAND" in
fi fi
;; ;;
version) version)
echo $VERSION echo $version
;; ;;
try) try)
[ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\"" [ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\""

8
Shorewall/shorewall.conf
View File

@ -710,6 +710,14 @@ DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
#
# DYNAMIC ZONES
#
# If you need to be able to add and delete hosts from zones dynamically then
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
DYNAMIC_ZONES=No
# #
# USE PKTTYPE MATCH # USE PKTTYPE MATCH
# #