From 49f361124e7b2df84f13d690e9d22310e3d9ff58 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 20 Oct 2009 12:24:28 -0700 Subject: [PATCH] Make 'track' the default --- Shorewall/Perl/Shorewall/Compiler.pm | 1 + Shorewall/Perl/Shorewall/Providers.pm | 4 ++- Shorewall/Perl/Shorewall/Rules.pm | 11 ++++++-- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 8 ++++++ docs/LennyToSqueeze.xml | 9 ++++++ docs/MultiISP.xml | 40 +++++++++++++++++++-------- manpages/shorewall-providers.xml | 14 ++++++++++ manpages6/shorewall6-providers.xml | 14 ++++++++++ 9 files changed, 89 insertions(+), 14 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index ac4e1e9af..fedefc1af 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -100,6 +100,7 @@ sub generate_script_1() { EOF copy1 $lib; + emit "/n"; } emit <<'EOF'; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index fd42425e9..353422460 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -316,12 +316,14 @@ sub add_a_provider( ) { } - my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' ); + my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,1,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' ); unless ( $options eq '-' ) { for my $option ( split_list $options, 'option' ) { if ( $option eq 'track' ) { $track = 1; + } elsif ( $option eq 'notrack' ) { + $track = 0; } elsif ( $option =~ /^balance=(\d+)$/ ) { fatal_error q('balance' is not available in IPv6) if $family == F_IPV6; $balance = $1; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index c3aa1ed74..0022b9a74 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1621,7 +1621,7 @@ sub add_interface_jumps { # Generate the rules matrix. # -# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse. +# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse". # # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones). # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates. @@ -1683,10 +1683,17 @@ sub generate_matrix() { my $zoneref = find_zone( $zone ); next if @zones <= 2 && ! $zoneref->{options}{complex}; - + # + # Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain + # my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); if ( $capabilities{POLICY_MATCH} ) { + # + # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the + # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets + # can match '--pol none --dir out' rules and send the packets down the wrong rules chain. + # my $type = $zoneref->{type}; my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {}; diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 50878da1c..55a3c1352 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -16,6 +16,8 @@ Changes in Shorewall 4.4.3 8) Remove superfluous variables from generated script +9) Make 'track' the default. + Changes in Shorewall 4.4.2 1) BUGFIX: Correct detection of Persistent SNAT support diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 9b7120755..4583441a5 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -169,6 +169,10 @@ Shorewall 4.4.3 now, if the zone has :0.0.0.0/0 (even with exclusions), then it may have no additional members in /etc/shorewall/hosts. +13) Because the 'track' provider option is so useful, it is now the + default. If, for some reason, you don't want 'track' then specify + 'notrack' for the provider. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 3 ---------------------------------------------------------------------------- @@ -218,6 +222,10 @@ None. On non-Debian systems, new installs will now log all Shorewall commands to /var/log/shorewall-init.log. +2) Because the 'track' provider option is so useful, it is now the + default. If, for some reason, you don't want 'track' then specify + 'notrack' for the provider. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 ---------------------------------------------------------------------------- diff --git a/docs/LennyToSqueeze.xml b/docs/LennyToSqueeze.xml index 9793e7727..ffb5a30e2 100644 --- a/docs/LennyToSqueeze.xml +++ b/docs/LennyToSqueeze.xml @@ -700,6 +700,15 @@ NONAT loc - tcp 80 earlier. +
+ /etc/shorewall/providers + + Beginnins with Shorewall 4.4.3, the option + is now the default. If, for some reason, you don't want the + option then specify + . +
+
Extension Scripts diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 68dee5694..9449fadb8 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -143,11 +143,12 @@ Shorewall can set up the correct marking rules for you. When you use the track option in - /etc/shorewall/providers, connections from the - Internet are automatically routed back out of the correct interface and - through the correct ISP gateway. This works whether the connection is - handled by the firewall itself or if it is routed or port-forwarded to a - system behind the firewall. + /etc/shorewall/providers (which is the default, + beginning with Shorewall 4.4.3), connections from the Internet are + automatically routed back out of the correct interface and through the + correct ISP gateway. This works whether the connection is handled by the + firewall itself or if it is routed or port-forwarded to a system behind + the firewall. Shorewall will set up the routing and will update the /etc/iproute2/rt_tables to include the table names @@ -163,7 +164,8 @@ Packet marking for traffic control purposes may not be done in the PREROUTING table for connections involving providers with - 'track' specified (see below). + 'track' specified (see below -- note that 'track' defaults to on + beginning with Shorewall 4.4.3). @@ -329,9 +331,14 @@ track - If specified, connections FROM this interface are to - be tracked so that responses may be routed back out this - same interface. + + Beginning with Shorwall 4.3.3, track is the default. To disable + this option, you must specify notrack (see below). + If specified, connections FROM this interface + are to be tracked so that responses may be routed back out + this same interface. You want to specify 'track' if Internet hosts will be connecting to local servers through this provider. Any time @@ -350,7 +357,8 @@ support). - If you are using + If you are running a version of Shorewall earlier + than 4.4.3 and are using /etc/shorewall/providers because you have multiple Internet connections, we recommend that you specify track even if you @@ -441,6 +449,16 @@ + + notrack + + + Added in Shorewall 4.4.3. This option turns off the + track option which is now + the default. + + + optional @@ -1410,7 +1428,7 @@ fi It is the responsibility of the script to perform any action needed in reaction to the connection state change. The default script - supplied with LSM composes an email and sends it to $5. + supplied with LSM composes an email and sends it to $5. I personally use LSM here at shorewall.net (configuration is described below). I have set things up diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml index 4806b6ce4..39422b1b3 100644 --- a/manpages/shorewall-providers.xml +++ b/manpages/shorewall-providers.xml @@ -163,6 +163,11 @@ You want to specify if internet hosts will be connecting to local servers through this provider. + + Beginning with Shorewall 4.4.3, + is the default. If, for some reason, you don't want + then specify + (see below). @@ -194,6 +199,15 @@ + + notrack + + + Added in Shorewall 4.4.3. When specified, turns off + which is now the default. + + + optional (deprecated) diff --git a/manpages6/shorewall6-providers.xml b/manpages6/shorewall6-providers.xml index 3ae3145bb..bd137bc93 100644 --- a/manpages6/shorewall6-providers.xml +++ b/manpages6/shorewall6-providers.xml @@ -152,6 +152,11 @@ You want to specify if internet hosts will be connecting to local servers through this provider. + + Beginning with Shorewall 4.4.3, + is the default. If, for some reason, you don't want + then specify + (see below). @@ -167,6 +172,15 @@ + + notrack + + + Added in Shorewall 4.4.3. When specified, turns off + which is now the default. + + + optional