From 4db0dc26672a85684a73e54c7d6414a69c7584ee Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 15 Nov 2007 23:24:54 +0000 Subject: [PATCH] Bring trunk up to date with branch/4.0 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7668 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/Makefile | 2 +- Shorewall-common/changelog.txt | 26 + Shorewall-common/fallback.sh | 2 +- Shorewall-common/install.sh | 2 +- Shorewall-common/lib.base | 8 +- Shorewall-common/lib.cli | 56 +- Shorewall-common/lib.config | 2 + Shorewall-common/macro.AllowICMPs | 4 +- Shorewall-common/macro.Amanda | 4 +- Shorewall-common/macro.Auth | 4 +- Shorewall-common/macro.BitTorrent | 4 +- Shorewall-common/macro.CVS | 4 +- Shorewall-common/macro.DNS | 4 +- Shorewall-common/macro.Distcc | 4 +- Shorewall-common/macro.Drop | 4 +- Shorewall-common/macro.DropDNSrep | 4 +- Shorewall-common/macro.DropUPnP | 4 +- Shorewall-common/macro.Edonkey | 4 +- Shorewall-common/macro.FTP | 4 +- Shorewall-common/macro.Finger | 4 +- Shorewall-common/macro.GRE | 4 +- Shorewall-common/macro.Gnutella | 4 +- Shorewall-common/macro.HTTP | 4 +- Shorewall-common/macro.HTTPS | 4 +- Shorewall-common/macro.ICQ | 4 +- Shorewall-common/macro.IMAP | 4 +- Shorewall-common/macro.IMAPS | 4 +- Shorewall-common/macro.IPIP | 4 +- Shorewall-common/macro.IPP | 4 +- Shorewall-common/macro.IPPserver | 4 +- Shorewall-common/macro.IPsec | 4 +- Shorewall-common/macro.IPsecah | 4 +- Shorewall-common/macro.IPsecnat | 4 +- Shorewall-common/macro.JabberPlain | 4 +- Shorewall-common/macro.JabberSecure | 4 +- Shorewall-common/macro.Jabberd | 4 +- Shorewall-common/macro.Jetdirect | 4 +- Shorewall-common/macro.L2TP | 4 +- Shorewall-common/macro.LDAP | 4 +- Shorewall-common/macro.LDAPS | 4 +- Shorewall-common/macro.MySQL | 4 +- Shorewall-common/macro.NNTP | 4 +- Shorewall-common/macro.NNTPS | 4 +- Shorewall-common/macro.NTP | 4 +- Shorewall-common/macro.NTPbrd | 4 +- Shorewall-common/macro.PCA | 4 +- Shorewall-common/macro.POP3 | 4 +- Shorewall-common/macro.POP3S | 4 +- Shorewall-common/macro.Ping | 4 +- Shorewall-common/macro.PostgreSQL | 4 +- Shorewall-common/macro.Printer | 4 +- Shorewall-common/macro.RDP | 4 +- Shorewall-common/macro.Rdate | 4 +- Shorewall-common/macro.Reject | 4 +- Shorewall-common/macro.Rsync | 4 +- Shorewall-common/macro.SMB | 4 +- Shorewall-common/macro.SMBBI | 4 +- Shorewall-common/macro.SMBswat | 4 +- Shorewall-common/macro.SMTP | 4 +- Shorewall-common/macro.SMTPS | 4 +- Shorewall-common/macro.SNMP | 4 +- Shorewall-common/macro.SPAMD | 4 +- Shorewall-common/macro.SSH | 4 +- Shorewall-common/macro.SVN | 4 +- Shorewall-common/macro.SixXS | 2 +- Shorewall-common/macro.Submission | 4 +- Shorewall-common/macro.Syslog | 4 +- Shorewall-common/macro.TFTP | 4 +- Shorewall-common/macro.Telnet | 4 +- Shorewall-common/macro.Telnets | 4 +- Shorewall-common/macro.Time | 4 +- Shorewall-common/macro.Trcrt | 4 +- Shorewall-common/macro.VNC | 4 +- Shorewall-common/macro.VNCL | 4 +- Shorewall-common/macro.Web | 4 +- Shorewall-common/macro.Webmin | 4 +- Shorewall-common/macro.Whois | 4 +- Shorewall-common/releasenotes.txt | 992 +++++++++++++++---------- Shorewall-common/shorewall | 9 +- Shorewall-common/shorewall-common.spec | 13 +- Shorewall-common/shorewall.conf | 2 + Shorewall-common/uninstall.sh | 2 +- Shorewall-lite/Makefile | 5 +- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite | 9 +- Shorewall-lite/shorewall-lite.spec | 10 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall-perl/Shorewall/Accounting.pm | 15 +- Shorewall-perl/Shorewall/Actions.pm | 12 +- Shorewall-perl/Shorewall/Chains.pm | 234 +++--- Shorewall-perl/Shorewall/Compiler.pm | 13 +- Shorewall-perl/Shorewall/Config.pm | 442 ++++++++--- Shorewall-perl/Shorewall/Nat.pm | 119 ++- Shorewall-perl/Shorewall/Policy.pm | 13 +- Shorewall-perl/Shorewall/Proc.pm | 5 +- Shorewall-perl/Shorewall/Providers.pm | 20 +- Shorewall-perl/Shorewall/Proxyarp.pm | 4 +- Shorewall-perl/Shorewall/Rules.pm | 134 ++-- Shorewall-perl/Shorewall/Tc.pm | 32 +- Shorewall-perl/Shorewall/Tunnels.pm | 18 +- Shorewall-perl/Shorewall/Zones.pm | 16 +- Shorewall-perl/install.sh | 2 +- Shorewall-perl/prog.header | 2 +- Shorewall-perl/shorewall-perl.spec | 10 +- Shorewall-shell/compiler | 1 + Shorewall-shell/install.sh | 2 +- Shorewall-shell/lib.providers | 6 +- Shorewall-shell/lib.tcrules | 1 - Shorewall-shell/shorewall-shell.spec | 8 +- web/shorewall_index.htm | 6 +- 111 files changed, 1518 insertions(+), 1021 deletions(-) diff --git a/Shorewall-common/Makefile b/Shorewall-common/Makefile index de028e356..1ee948e2e 100644 --- a/Shorewall-common/Makefile +++ b/Shorewall-common/Makefile @@ -1,5 +1,5 @@ # Shorewall Makefile to restart if config-files are newer than last restart -VARDIR=/var/lib/shorewall +VARDIR=$(shell /sbin/shorewall show vardir) CONFDIR=/etc/shorewall RESTOREFILE?=.restore all: $(VARDIR)/${RESTOREFILE} diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index c87c2def9..5ff43b9d1 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,29 @@ +Changes in 4.0.6 + +1) Fix hyphenated service names in DNAT/REDIRECT rules. + +2) Fix long dest ports list bug. + +3) Fix many day-one bugs in REDIRECT port handling. + +4) Add support for '--physdev-is-bridged'. + +5) Add support for embedded shell and Perl scripts. + +6) Add support for manual chains. + +7) Don't require GATEWAY in tunnels file. + +8) Fix HIGH_ROUTE_MARKS fsck-up. + +9) Fix Makefiles for VARDIR + +10) Add -t option to hits command. + +11) Add DONT_LOAD option + +12) Add support for --random. + Changes in 4.0.5 1) Delete 'detectnets' from Shorewall-perl diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index 7eeea7367..ccc6116e2 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 91ef673c8..021f11547 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index 940c1435f..c3f349968 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -35,7 +35,7 @@ # SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=40003 +SHOREWALL_CAPVERSION=40006 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -212,7 +212,7 @@ loadmodule() # $1 = module name, $2 - * arguments local modulefile local suffix - if ! list_search $modulename $MODULES ; then + if ! list_search $modulename $MODULES $DONT_LOAD ; then shift for suffix in $MODULE_SUFFIX ; do @@ -983,6 +983,7 @@ determine_capabilities() { XMULTIPORT= POLICY_MATCH= PHYSDEV_MATCH= + PHYSDEV_BRIDGE= IPRANGE_MATCH= RECENT_MATCH= OWNER_MATCH= @@ -1020,6 +1021,7 @@ determine_capabilities() { if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then PHYSDEV_MATCH=Yes + qt $IPTABLES -A fooX1234 -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes if [ -z "${KLUDGEFREE}" ]; then qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes fi @@ -1112,6 +1114,7 @@ report_capabilities() { report_capability "Packet Type Match" $USEPKTTYPE report_capability "Policy Match" $POLICY_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH + report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE report_capability "Packet length Match" $LENGTH_MATCH report_capability "IP range Match" $IPRANGE_MATCH report_capability "Recent Match" $RECENT_MATCH @@ -1157,6 +1160,7 @@ report_capabilities1() { report_capability1 USEPKTTYPE report_capability1 POLICY_MATCH report_capability1 PHYSDEV_MATCH + report_capability1 PHYSDEV_BRIDGE report_capability1 LENGTH_MATCH report_capability1 IPRANGE_MATCH report_capability1 RECENT_MATCH diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli index 879eadc7f..425219840 100644 --- a/Shorewall-common/lib.cli +++ b/Shorewall-common/lib.cli @@ -541,6 +541,9 @@ show_command() { $IPTABLES -t $table -L $IPT_OPTIONS fi ;; + vardir) + echo $VARDIR; + ;; *) if [ "$PRODUCT" = Shorewall ]; then case $1 in @@ -916,28 +919,59 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses # 'hits' commmand executor # hits_command() { + local finished=0 today= + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + t*) + today=$(date +'^%b %_d.*') + option=${option#t} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + [ $# -eq 0 ] || usage 1 + clear_term echo "$PRODUCT $version Hits at $HOSTNAME - $(date)" echo timeout=30 - if [ $( $LOGREAD | grep -c 'IN=.* OUT=' ) -gt 0 ] ; then - echo " HITS IP DATE" + if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then + echo " HITS IP DATE" echo " ---- --------------- ------" - $LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | \ - while read count address month day; do + $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn | while read count address month day; do printf '%7d %-15s %3s %2d\n' $count $address $month $day done echo "" - echo " HITS IP PORT" + echo " HITS IP PORT" echo " ---- --------------- -----" - $LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ + $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ t - s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | \ - while read count address port; do + s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do printf '%7d %-15s %d\n' $count $address $port done @@ -945,8 +979,7 @@ hits_command() { echo " HITS DATE" echo " ---- ------" - $LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | \ - while read count month day; do + $LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do printf '%7d %3s %2d\n' $count $month $day done @@ -954,8 +987,7 @@ hits_command() { echo " HITS PORT SERVICE(S)" echo " ---- ----- ----------" - $LOGREAD | grep 'IN=.* OUT=.*DPT' | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ - while read count port ; do + $LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do # List all services defined for the given port srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u) srv=$(echo $srv | sed 's/ /,/g') diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config index f834dc4b8..a26f5a47d 100644 --- a/Shorewall-common/lib.config +++ b/Shorewall-common/lib.config @@ -1746,6 +1746,7 @@ do_initialize() { EXPORTPARAMS= KEEP_TC_RULES= DELETE_THEN_ADD= + DONT_LOAD= # # Packet Disposition # @@ -1830,6 +1831,7 @@ do_initialize() { # capabilities when module autoloading isn't enabled. # PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) + [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )" [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] diff --git a/Shorewall-common/macro.AllowICMPs b/Shorewall-common/macro.AllowICMPs index 6b1765643..c587c9c4a 100644 --- a/Shorewall-common/macro.AllowICMPs +++ b/Shorewall-common/macro.AllowICMPs @@ -6,8 +6,8 @@ # This macro ACCEPTs needed ICMP types # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP ACCEPT - - icmp fragmentation-needed ACCEPT - - icmp time-exceeded #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Amanda b/Shorewall-common/macro.Amanda index 3e7eabd06..28472ed03 100644 --- a/Shorewall-common/macro.Amanda +++ b/Shorewall-common/macro.Amanda @@ -8,8 +8,8 @@ # files from those nodes. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 10080 # # You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6, diff --git a/Shorewall-common/macro.Auth b/Shorewall-common/macro.Auth index 3c9d5099f..5043506a7 100644 --- a/Shorewall-common/macro.Auth +++ b/Shorewall-common/macro.Auth @@ -6,7 +6,7 @@ # This macro handles Auth (identd) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 113 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.BitTorrent b/Shorewall-common/macro.BitTorrent index 95ddf530d..b05ae69c4 100644 --- a/Shorewall-common/macro.BitTorrent +++ b/Shorewall-common/macro.BitTorrent @@ -6,8 +6,8 @@ # This macro handles BitTorrent traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 6881:6889 # # It may also be necessary to allow UDP traffic: diff --git a/Shorewall-common/macro.CVS b/Shorewall-common/macro.CVS index b6cc995d0..c4e02647f 100644 --- a/Shorewall-common/macro.CVS +++ b/Shorewall-common/macro.CVS @@ -6,7 +6,7 @@ # This macro handles connections to the CVS pserver. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 2401 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DNS b/Shorewall-common/macro.DNS index cfb368e3a..a1e444443 100644 --- a/Shorewall-common/macro.DNS +++ b/Shorewall-common/macro.DNS @@ -6,8 +6,8 @@ # This macro handles DNS traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 53 PARAM - - tcp 53 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Distcc b/Shorewall-common/macro.Distcc index e449a0da7..c9fce42e9 100644 --- a/Shorewall-common/macro.Distcc +++ b/Shorewall-common/macro.Distcc @@ -6,7 +6,7 @@ # This macro handles connections to the Distributed Compiler service. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 3632 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Drop b/Shorewall-common/macro.Drop index 410472552..4eb343b8a 100644 --- a/Shorewall-common/macro.Drop +++ b/Shorewall-common/macro.Drop @@ -11,8 +11,8 @@ # Drop net all # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP # # Don't log 'auth' REJECT # diff --git a/Shorewall-common/macro.DropDNSrep b/Shorewall-common/macro.DropDNSrep index 80173f50d..19365dfea 100644 --- a/Shorewall-common/macro.DropDNSrep +++ b/Shorewall-common/macro.DropDNSrep @@ -6,7 +6,7 @@ # This macro silently drops DNS UDP replies # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP DROP - - udp - 53 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.DropUPnP b/Shorewall-common/macro.DropUPnP index bb5d54d5e..989a3f386 100644 --- a/Shorewall-common/macro.DropUPnP +++ b/Shorewall-common/macro.DropUPnP @@ -6,7 +6,7 @@ # This macro silently drops UPnP probes on UDP port 1900 # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP DROP - - udp 1900 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Edonkey b/Shorewall-common/macro.Edonkey index 9f40f443c..77b5203a6 100644 --- a/Shorewall-common/macro.Edonkey +++ b/Shorewall-common/macro.Edonkey @@ -28,8 +28,8 @@ # applications such as aMule WebServer or aMuleCMD. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 4662 PARAM - - udp 4665 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.FTP b/Shorewall-common/macro.FTP index f594b0021..dd24dd4ad 100644 --- a/Shorewall-common/macro.FTP +++ b/Shorewall-common/macro.FTP @@ -6,7 +6,7 @@ # This macro handles FTP traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 21 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Finger b/Shorewall-common/macro.Finger index 5d78875c5..2fc1742a9 100644 --- a/Shorewall-common/macro.Finger +++ b/Shorewall-common/macro.Finger @@ -7,7 +7,7 @@ # your finger information to internet. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 79 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.GRE b/Shorewall-common/macro.GRE index cd0c7164f..acb032af9 100644 --- a/Shorewall-common/macro.GRE +++ b/Shorewall-common/macro.GRE @@ -6,8 +6,8 @@ # This macro (bi-directional) handles Generic Routing Encapsulation traffic (RFC 1701) # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - 47 # GRE PARAM DEST SOURCE 47 # GRE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Gnutella b/Shorewall-common/macro.Gnutella index 1f4f88470..2097ee1eb 100644 --- a/Shorewall-common/macro.Gnutella +++ b/Shorewall-common/macro.Gnutella @@ -6,8 +6,8 @@ # This macro handles Gnutella traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 6346 PARAM - - udp 6346 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.HTTP b/Shorewall-common/macro.HTTP index e5ecf0fad..85f3231b5 100644 --- a/Shorewall-common/macro.HTTP +++ b/Shorewall-common/macro.HTTP @@ -6,7 +6,7 @@ # This macro handles plaintext HTTP (WWW) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.HTTPS b/Shorewall-common/macro.HTTPS index 01397eec1..0e07331d4 100644 --- a/Shorewall-common/macro.HTTPS +++ b/Shorewall-common/macro.HTTPS @@ -6,7 +6,7 @@ # This macro handles HTTPS (WWW over SSL) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 443 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.ICQ b/Shorewall-common/macro.ICQ index f452ae66c..53ded83ab 100644 --- a/Shorewall-common/macro.ICQ +++ b/Shorewall-common/macro.ICQ @@ -6,7 +6,7 @@ # This macro handles ICQ, now called AOL Instant Messenger (or AIM). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 5190 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IMAP b/Shorewall-common/macro.IMAP index 76f2dc717..11783c6eb 100644 --- a/Shorewall-common/macro.IMAP +++ b/Shorewall-common/macro.IMAP @@ -7,7 +7,7 @@ # see macro.IMAPS. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 143 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IMAPS b/Shorewall-common/macro.IMAPS index c5b7391ff..cf2328c03 100644 --- a/Shorewall-common/macro.IMAPS +++ b/Shorewall-common/macro.IMAPS @@ -7,7 +7,7 @@ # (not recommended), see macro.IMAP. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 993 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPIP b/Shorewall-common/macro.IPIP index df0c85060..7fac8b68f 100644 --- a/Shorewall-common/macro.IPIP +++ b/Shorewall-common/macro.IPIP @@ -6,8 +6,8 @@ # This macro (bidirectional) handles IPIP capsulation traffic # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - 94 # IPIP PARAM DEST SOURCE 94 # IPIP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPP b/Shorewall-common/macro.IPP index 7753284f9..ad78b9ac7 100644 --- a/Shorewall-common/macro.IPP +++ b/Shorewall-common/macro.IPP @@ -6,7 +6,7 @@ # This macro handles Internet Printing Protocol (IPP). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 631 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPPserver b/Shorewall-common/macro.IPPserver index fae3ba225..8948345d9 100644 --- a/Shorewall-common/macro.IPPserver +++ b/Shorewall-common/macro.IPPserver @@ -23,8 +23,8 @@ # IPPserver/ACCEPT $FW loc # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM SOURCE DEST tcp 631 PARAM DEST SOURCE udp 631 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.IPsec b/Shorewall-common/macro.IPsec index 1e1380ac7..fd02f8b04 100644 --- a/Shorewall-common/macro.IPsec +++ b/Shorewall-common/macro.IPsec @@ -6,8 +6,8 @@ # This macro (bidirectional) handles IPsec traffic # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 500 500 # IKE PARAM - - 50 # ESP PARAM DEST SOURCE udp 500 500 # IKE diff --git a/Shorewall-common/macro.IPsecah b/Shorewall-common/macro.IPsecah index 98b7c564a..b51f93e04 100644 --- a/Shorewall-common/macro.IPsecah +++ b/Shorewall-common/macro.IPsecah @@ -7,8 +7,8 @@ # This is insecure. You should use ESP with encryption for security. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 500 500 # IKE PARAM - - 51 # AH PARAM DEST SOURCE udp 500 500 # IKE diff --git a/Shorewall-common/macro.IPsecnat b/Shorewall-common/macro.IPsecnat index 5820d9fd8..266dc1811 100644 --- a/Shorewall-common/macro.IPsecnat +++ b/Shorewall-common/macro.IPsecnat @@ -6,8 +6,8 @@ # This macro (bidirectional) handles IPsec traffic and Nat-Traversal # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 500 # IKE PARAM - - udp 4500 # NAT-T PARAM - - 50 # ESP diff --git a/Shorewall-common/macro.JabberPlain b/Shorewall-common/macro.JabberPlain index 4cc3028d5..c5f33eba6 100644 --- a/Shorewall-common/macro.JabberPlain +++ b/Shorewall-common/macro.JabberPlain @@ -6,7 +6,7 @@ # This macro accepts Jabberd intercommunication traffic # ############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#TARGET SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 5269 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.JabberSecure b/Shorewall-common/macro.JabberSecure index c9409694f..acc81de73 100644 --- a/Shorewall-common/macro.JabberSecure +++ b/Shorewall-common/macro.JabberSecure @@ -6,7 +6,7 @@ # This macro accepts Jabber traffic (plaintext). # ############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#TARGET SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 5222 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Jabberd b/Shorewall-common/macro.Jabberd index 212477190..f5bb958e7 100644 --- a/Shorewall-common/macro.Jabberd +++ b/Shorewall-common/macro.Jabberd @@ -6,7 +6,7 @@ # This macro accepts Jabber traffic (ssl). # ############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#TARGET SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 5223 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Jetdirect b/Shorewall-common/macro.Jetdirect index df4f924a0..bf79ddb6b 100644 --- a/Shorewall-common/macro.Jetdirect +++ b/Shorewall-common/macro.Jetdirect @@ -6,7 +6,7 @@ # This macro handles HP Jetdirect printing. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 9100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.L2TP b/Shorewall-common/macro.L2TP index 9b33121a3..8a3417e97 100644 --- a/Shorewall-common/macro.L2TP +++ b/Shorewall-common/macro.L2TP @@ -6,8 +6,8 @@ # This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic (RFC 2661) # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 1701 # L2TP PARAM DEST SOURCE udp 1701 # L2TP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.LDAP b/Shorewall-common/macro.LDAP index a6871f37f..903770e0b 100644 --- a/Shorewall-common/macro.LDAP +++ b/Shorewall-common/macro.LDAP @@ -11,7 +11,7 @@ # Consult your LDAP server documentation for details. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 389 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.LDAPS b/Shorewall-common/macro.LDAPS index a76c79260..e88d273b5 100644 --- a/Shorewall-common/macro.LDAPS +++ b/Shorewall-common/macro.LDAPS @@ -11,7 +11,7 @@ # Consult your LDAP server documentation for details. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 636 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.MySQL b/Shorewall-common/macro.MySQL index 587a7a687..392d35d1b 100644 --- a/Shorewall-common/macro.MySQL +++ b/Shorewall-common/macro.MySQL @@ -6,7 +6,7 @@ # This macro handles connections to the MySQL server. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 3306 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NNTP b/Shorewall-common/macro.NNTP index e9cf2d06c..70f8486a7 100644 --- a/Shorewall-common/macro.NNTP +++ b/Shorewall-common/macro.NNTP @@ -7,7 +7,7 @@ # encrypted NNTP, see macro.NNTPS. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 119 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NNTPS b/Shorewall-common/macro.NNTPS index 4f5c3e098..c918dda80 100644 --- a/Shorewall-common/macro.NNTPS +++ b/Shorewall-common/macro.NNTPS @@ -7,7 +7,7 @@ # plaintext NNTP, see macro.NNTP. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 563 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NTP b/Shorewall-common/macro.NTP index 62ac382dd..1d0dd2caf 100644 --- a/Shorewall-common/macro.NTP +++ b/Shorewall-common/macro.NTP @@ -7,7 +7,7 @@ # For broadcast NTP traffic, use NTPbrd Macro. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 123 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.NTPbrd b/Shorewall-common/macro.NTPbrd index 6be48b4a1..2874cfe2f 100644 --- a/Shorewall-common/macro.NTPbrd +++ b/Shorewall-common/macro.NTPbrd @@ -11,8 +11,8 @@ # Netfilter doesn't track connections for broadcast traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 123 PARAM - - udp 1024: 123 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.PCA b/Shorewall-common/macro.PCA index b14103ac6..20cce1f19 100644 --- a/Shorewall-common/macro.PCA +++ b/Shorewall-common/macro.PCA @@ -6,8 +6,8 @@ # This macro handles PCAnywere (tm) # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 5632 PARAM - - tcp 5631 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.POP3 b/Shorewall-common/macro.POP3 index 34b08593e..04a7cbcdb 100644 --- a/Shorewall-common/macro.POP3 +++ b/Shorewall-common/macro.POP3 @@ -7,7 +7,7 @@ # see macro.POP3S. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 110 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.POP3S b/Shorewall-common/macro.POP3S index 5c6d388ea..d99928fb9 100644 --- a/Shorewall-common/macro.POP3S +++ b/Shorewall-common/macro.POP3S @@ -7,7 +7,7 @@ # see macro.POP3. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 995 # Secure POP3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Ping b/Shorewall-common/macro.Ping index 755c8ea7b..ef44016da 100644 --- a/Shorewall-common/macro.Ping +++ b/Shorewall-common/macro.Ping @@ -6,7 +6,7 @@ # This macro handles 'ping' requests. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - icmp 8 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.PostgreSQL b/Shorewall-common/macro.PostgreSQL index aa7b2248f..7353ea23b 100644 --- a/Shorewall-common/macro.PostgreSQL +++ b/Shorewall-common/macro.PostgreSQL @@ -6,7 +6,7 @@ # This macro handles connections to the PostgreSQL server. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 5432 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Printer b/Shorewall-common/macro.Printer index 5d3dcea83..2881eac46 100644 --- a/Shorewall-common/macro.Printer +++ b/Shorewall-common/macro.Printer @@ -6,7 +6,7 @@ # This macro handles Line Printer protocol printing. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 515 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.RDP b/Shorewall-common/macro.RDP index ebe6722ac..04eba5dc5 100644 --- a/Shorewall-common/macro.RDP +++ b/Shorewall-common/macro.RDP @@ -6,7 +6,7 @@ # This macro handles Microsoft RDP (Remote Desktop) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 3389 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Rdate b/Shorewall-common/macro.Rdate index 9f076265a..80a5b6de3 100644 --- a/Shorewall-common/macro.Rdate +++ b/Shorewall-common/macro.Rdate @@ -10,7 +10,7 @@ # use Time macro instead. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 37 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Reject b/Shorewall-common/macro.Reject index a1472390e..3fff4f90d 100644 --- a/Shorewall-common/macro.Reject +++ b/Shorewall-common/macro.Reject @@ -12,8 +12,8 @@ # # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP # # Don't log 'auth' REJECT # diff --git a/Shorewall-common/macro.Rsync b/Shorewall-common/macro.Rsync index aace34107..04c24677e 100644 --- a/Shorewall-common/macro.Rsync +++ b/Shorewall-common/macro.Rsync @@ -6,7 +6,7 @@ # This macro handles connections to the rsync server. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 873 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMB b/Shorewall-common/macro.SMB index 0a1bd4b86..28b0e7f15 100644 --- a/Shorewall-common/macro.SMB +++ b/Shorewall-common/macro.SMB @@ -10,8 +10,8 @@ # between hosts you fully trust. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 135,445 PARAM - - udp 137:139 PARAM - - udp 1024: 137 diff --git a/Shorewall-common/macro.SMBBI b/Shorewall-common/macro.SMBBI index defd8bc5e..c982b5ef8 100644 --- a/Shorewall-common/macro.SMBBI +++ b/Shorewall-common/macro.SMBBI @@ -10,8 +10,8 @@ # allow SMB traffic between hosts you fully trust. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 135,445 PARAM - - udp 137:139 PARAM - - udp 1024: 137 diff --git a/Shorewall-common/macro.SMBswat b/Shorewall-common/macro.SMBswat index 61b125536..9009d92f7 100644 --- a/Shorewall-common/macro.SMBswat +++ b/Shorewall-common/macro.SMBswat @@ -7,7 +7,7 @@ # (SWAT). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 901 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMTP b/Shorewall-common/macro.SMTP index 3503aad6b..a72ce6c00 100644 --- a/Shorewall-common/macro.SMTP +++ b/Shorewall-common/macro.SMTP @@ -14,7 +14,7 @@ # the POP3 or IMAP macros. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 25 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SMTPS b/Shorewall-common/macro.SMTPS index 6d86a36f0..2d013f038 100644 --- a/Shorewall-common/macro.SMTPS +++ b/Shorewall-common/macro.SMTPS @@ -11,7 +11,7 @@ # the POP3(S) or IMAP(S) macros. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 465 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SNMP b/Shorewall-common/macro.SNMP index 8f55e74f6..6c9a153f8 100644 --- a/Shorewall-common/macro.SNMP +++ b/Shorewall-common/macro.SNMP @@ -6,8 +6,8 @@ # This macro handles SNMP traffic (including traps). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 161:162 PARAM - - tcp 161 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SPAMD b/Shorewall-common/macro.SPAMD index 850d3d914..43133c1fe 100644 --- a/Shorewall-common/macro.SPAMD +++ b/Shorewall-common/macro.SPAMD @@ -6,7 +6,7 @@ # This macro handles Spam Assassin SPAMD traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 783 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SSH b/Shorewall-common/macro.SSH index 026fce248..32dc0e265 100644 --- a/Shorewall-common/macro.SSH +++ b/Shorewall-common/macro.SSH @@ -6,7 +6,7 @@ # This macro handles secure shell (SSH) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 22 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SVN b/Shorewall-common/macro.SVN index c3e3a3b96..5aeb3061b 100644 --- a/Shorewall-common/macro.SVN +++ b/Shorewall-common/macro.SVN @@ -7,7 +7,7 @@ # # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 3690 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.SixXS b/Shorewall-common/macro.SixXS index 8d054930d..2274b0e48 100644 --- a/Shorewall-common/macro.SixXS +++ b/Shorewall-common/macro.SixXS @@ -6,7 +6,7 @@ # This macro handles SixXS -- An IPv6 Deployment and Tunnel Broken # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP PARAM - - tcp 3874 # Used for retrieving the tunnel information (eg by AICCU) PARAM - - udp 3740 # Used for signaling where the current IPv4 endpoint diff --git a/Shorewall-common/macro.Submission b/Shorewall-common/macro.Submission index 1000a8f64..c824ac7db 100644 --- a/Shorewall-common/macro.Submission +++ b/Shorewall-common/macro.Submission @@ -6,7 +6,7 @@ # This macro handles mail message submission traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 587 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Syslog b/Shorewall-common/macro.Syslog index 3c32dab13..19966ad67 100644 --- a/Shorewall-common/macro.Syslog +++ b/Shorewall-common/macro.Syslog @@ -6,7 +6,7 @@ # This macro handles syslog UDP traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 514 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.TFTP b/Shorewall-common/macro.TFTP index 1367a3c55..168a25c78 100644 --- a/Shorewall-common/macro.TFTP +++ b/Shorewall-common/macro.TFTP @@ -8,7 +8,7 @@ # Internet. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 69 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Telnet b/Shorewall-common/macro.Telnet index d960eaf74..5e75447e7 100644 --- a/Shorewall-common/macro.Telnet +++ b/Shorewall-common/macro.Telnet @@ -7,7 +7,7 @@ # internet, telnet is inappropriate; use SSH instead # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 23 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Telnets b/Shorewall-common/macro.Telnets index ac5867d61..472e1230d 100644 --- a/Shorewall-common/macro.Telnets +++ b/Shorewall-common/macro.Telnets @@ -7,7 +7,7 @@ # For traffic over the internet, SSH might be more practical. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 992 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Time b/Shorewall-common/macro.Time index 186a47f2d..bb8ca7f88 100644 --- a/Shorewall-common/macro.Time +++ b/Shorewall-common/macro.Time @@ -8,7 +8,7 @@ # you shouldn't be using this. NTP is a superior alternative. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 37 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Trcrt b/Shorewall-common/macro.Trcrt index 439615163..586dfab59 100644 --- a/Shorewall-common/macro.Trcrt +++ b/Shorewall-common/macro.Trcrt @@ -6,8 +6,8 @@ # This macro handles Traceroute (for up to 30 hops). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - udp 33434:33524 # UDP Traceroute PARAM - - icmp 8 # ICMP Traceroute #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.VNC b/Shorewall-common/macro.VNC index 6e3ee6e27..154b7f81a 100644 --- a/Shorewall-common/macro.VNC +++ b/Shorewall-common/macro.VNC @@ -6,7 +6,7 @@ # This macro handles VNC traffic for VNC display's 0 - 9. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 5900:5909 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.VNCL b/Shorewall-common/macro.VNCL index 66c93fa4b..81f561124 100644 --- a/Shorewall-common/macro.VNCL +++ b/Shorewall-common/macro.VNCL @@ -7,7 +7,7 @@ # mode. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 5500 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Web b/Shorewall-common/macro.Web index ad961d1a0..2176b5b1c 100644 --- a/Shorewall-common/macro.Web +++ b/Shorewall-common/macro.Web @@ -8,8 +8,8 @@ # is recommended. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 80 # HTTP (plaintext) PARAM - - tcp 443 # HTTPS (over SSL) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Webmin b/Shorewall-common/macro.Webmin index c8a557765..9a35055d8 100644 --- a/Shorewall-common/macro.Webmin +++ b/Shorewall-common/macro.Webmin @@ -6,7 +6,7 @@ # This macro handles Webmin traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 10000 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/macro.Whois b/Shorewall-common/macro.Whois index 7425a8833..6e9c8bd67 100644 --- a/Shorewall-common/macro.Whois +++ b/Shorewall-common/macro.Whois @@ -6,7 +6,7 @@ # This macro handles whois (nicname) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE PROTO DEST SOURCE RATE USER/ +# PORT PORT(S) LIMIT GROUP PARAM - - tcp 43 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index dd5c05019..59286e937 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.0 Patch release 5 +Shorewall 4.0 Patch release 6 ---------------------------------------------------------------------------- R E L E A S E 4 . 0 H I G H L I G H T S @@ -26,197 +26,217 @@ Shorewall 4.0 Patch release 5 Shorewall-perl compiler. This support utilizes the reduced-function physdev match support available in Linux kernel 2.6.20 and later. -Problems corrected in Shorewall 4.0.5. +Problems corrected in Shorewall-perl 4.0.6. -1) Previously, Shorewall-perl misprocessed $FW:: in the DEST - column of a REDIRECT rule, generating an error. '$FW::' now - produces the same effect as ''. +1) In a DNAT or REDIRECT rule, if no serverport was given and the DEST + PORT(S) list contained a service name containing a hyphen ("-") then + an ERROR was generated. -2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE - PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected - the entry with the error: + Example -- Rules file: - ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules + DNAT net loc:$WINDOWS_IP tcp https,pptp,ms-wbt-server,4125 - The rule was accepted if 'tcp' or 'udp' was used instead. + Results in: -3) Shorewall-shell now removes any default bindings of ipsets before - attempting to reload them. Previously, default bindings were not - removed with the result that the ipsets could not be destroyed. + ERROR: Invalid port range (ms:wbt:server) : rules (line 49) -Other changes in Shorewall 4.0.5. + Problem was introduced in Shorewall 4.0.5 and does not occur in + earlier releases. -1) Two new options have been added to /etc/shorewall/hosts - (Shorewall-perl only). +2) If a long destination port list needed to be broken at a port pair, + the generated rule contained an extra comma which resulted in an + iptables-restore failure. - broadcast: Permits limited broadcast (destination 255.255.255.255) - to the zone. +3) Several problems involving port ranges and port lists in REDIRECT + rules have been corrected. - destonly: Normally used with the Multi-cast range. Specifies that - traffic will be sent to the specified net(s) but that - no traffic will be received from the net(s). +4) Shorewall-perl no longer requires an address in the GATEWAY column + of /etc/shorewall/tunnels. If the column is left empty (or contains + '-') then 0.0.0.0/0 is assumed. + +5) Previously with Shorewall-perl, redirecting both STDOUT and STDERR + to the same file descriptor resulted in scrambled output between + the two. The error messages were often in the middle of the + regular output far ahead of the point where the error occurred. + + This problem was possible in the Debian Shorewall init script + (/etc/init.d/shorewall) which redirects output to the + Debian-specific /var/log/shorewall-init.log file in this way: + + $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ... + +6) With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable + results could occur when marking in the PREROUTING or OUTPUT + chains. When a rule specified a mark value > 255, the compilers + were using the '--or-mark' operator rather than the '--set-mark' + operator. Consequently, when a packet matched more than one + rule, the resulting routing mark was the logical product of the + mark values in the matching rules rather than the mark value from + the last matching rule. Example: - wifi eth1:192.168.3.0/24 broadcast - wifi eth1:224.0.0.0/4 destonly + 0x100 192.168.1.44 0.0.0.0/0 + 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25 - In that example, limited broadcasts from the firewall with a source - IP in the 192.168.3.0/24 range will be acccepted as will multicasts - (with any source address). + A TCP packet from 192.168.1.44 with destination port 25 would have + a mark value of 0x300 rather than the expected value of 0x200. -2) A MULTICAST option has been added to shorewall.conf. This option - will normally be set to 'No' (the default). It should be set to - 'Yes' under the following circumstances: +7) Previously, a 'start -f' on Shorewall Lite would produce the + following distressing output before starting the firewall: - a) You have an interface that has parallel zones defined via - /etc/shorewall/hosts. - b) You want to forward multicast packets to two or more of those - parallel zones. + make: *** No rule to make target `/firewall', needed by + `/var/lib/shorewall-lite/restore'. Stop. - In such cases, you will configure a 'destonly' network on each - zone receiving multicasts. + Furthermore, the Makefile for both Shorewall and Shorewall Lite + failed to take into account the /etc/shorewall/vardir file. - The MULTICAST option is only recognized by Shorewall-perl and is - ignored by Shorewall-shell. + This has been corrected. As part of the fix, both /sbin/shorewall + and /sbin/shorewall-lite support a "show vardir" command that + displays the VARDIR setting. -3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl - no longer supports the 'detectnets' option. Specifying that option - now results in the following message: +Other changes in Shorewall 4.0.6. - WARNING: Support for the 'detectnets' option has been removed +1) Shorewall-perl now uses the '--physdev-is-bridged' option when it + is available. This option will suppress messages like the following: - It is suggested that 'detectnets' be replaced by - 'routefilter,logmartians'. That will produce the same filtering - effect as 'detectnets' while eliminating 1-2 rules per connection. + kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and + POSTROUTING chains for non-bridged traffic is not supported + anymore. - One user has asked how to retain the output of 'shorewall show - zones' if the 'detectnets' option is removed. While I don't advise - doing so, you can reproduce the current 'shorewall show' behavior - as follows. + This change only affects users who use bport/bport4 zones in a + briged configuration and requires that capabilities files be + regenerated using Shorewall-common or Shorewall-lite 4.0.6. - Suppose that you have a zone named 'wifi' that produces the - following output with 'detectnets': +2) Shorewall-perl now allows you to embed Shell or Perl scripts in + all configuration files except /etc/shorewall/params and + /etc/shorewall/shorewall.conf (As always, you can continue to + include arbitrary shell code in /etc/shorewall/params). - wifi (ipv4) - eth1:192.168.3.0/24 - - You can reproduce this behavior as follows: + To embed a one-line script, use one of the following: - /etc/shorewall/interfaces: + SHELL + PERL - - eth1 detect ... + For multi-line scripts, use: - /etc/shorewall/hosts: + BEGIN SHELL + + END SHELL - wifi eth1:192.168.3.0/24 broadcast + BEGIN PERL + + END PERL - If you send multicast to the 'wifi' zone, you also need this entry - in your hosts file: + For SHELL scripts, the output from the script is processed as if it + were part of the file. - wifi eth1:224.0.0.0/4 destonly + Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d + and e to the firewall: -4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule - may now be specified as a service name from - /etc/services. Additionally: + Either: - a) A port-range may be specified as the service port expressed in - the format -. Connections are assigned to - server ports in round-robin fashion. + BEGIN SHELL + for z in a b c d e; do + echo SMTP/ACCEPT $z fw tcp 25 + done + END SHELL - b) The compiler only permits a server port to be specified if the - protocol is tcp or udp. + or - c) The compiler ensures that the server IP address is valid (note - that it is still not permitted to specify the server address as a - DNS name). + SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done -5) (Shorewall-perl only) Users are complaining that when they migrate - to Shorewall-perl, they have to restrict their port lists to 15 - ports. In this release, we relax that restriction on destination - port lists. Since the SOURCE PORT(s) column in the configuration - files is rarely used, we have no plans to relax the restriction in - that column. + Either is equivalent to: -6) There have been several cases where iptables-restore has failed - while executing a COMMIT command in the .iptables_restore_input - file. This gives neither the user nor Shorewall support much to go - on when analyzing the problem. As a new debugging aid, the meaning - of 'trace' and 'debug' have been changed. + SMTP/ACCEPT a fw tcp 25 + SMTP/ACCEPT b fw tcp 25 + SMTP/ACCEPT c fw tcp 25 + SMTP/ACCEPT d fw tcp 25 + SMTP/ACCEPT e fw tcp 25 - Traditionally, /sbin/shorewall and /sbin/shorewall-lite have - allowed either 'trace' or 'debug' as the first run-line - parameter. Prior to 4.0.5, the two words produced the same effect. + With a Perl script, if you want to output text to be processed as + if it were part of the file, then pass the text to the shorewall() + function. - Beginning with Shorewall 4.0.5, the two words have different - effects when Shorewall-perl is used. + Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d + and e to the firewall: - trace - Like the previous behavior. + BEGIN PERL + for ( qw/a b c d e/ ) { + shorewall "SMTP/ACCEPT $_ fw tcp 25"; + } + END PERL - In the Shorewall-perl compiler, generate a stack trace - on WARNING and ERROR messages. + PERL scripts have access to any context accumulated in earlier PERL + scripts. All such embedded Perl, as well as conventional Perl + extension scripts are placed in the Shorewall::User package. That + way, your global variables and functions won't conflict with any of + Shorewall's. - In the generated script, sets the shell's -x option to - trace execution of the script. + To allow you to load Perl modules and initialize any global state, + a new 'compile' compile-time extension script has been added. It is + called early in the compilation process. - debug - Ignored by the Shorewall-perl compiler. + For additional information, see - In the generated script, causes the commands in - .iptables_restore_input to be executed as discrete iptables - commands. The failing command can thus be identified and a - diagnosis of the cause can be made. + - http://www.shorewall.net/configuration_file_basics.html#Embedded - Users of Shorewall-lite will see the following change when using a - script that was compiled with Shorewall-perl 4.0.5 or later. +3) To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl + scripts to create filter chains using + Shorewall::Chains::new_manual_chain() and then use the chain as a + target in subsequent entries in /etc/shorewall/rules. - trace - In the generated script, sets the shell's -x option to - trace execution of the script. + See http://www.shorewall.net/ManualChains.html for information. - debug - In the generated script, causes the commands in - .iptables_restore_input to be executed as discrete iptables - commands. The failing command can thus be identified and a - diagnosis of the cause can be made. +4) The 'hits' command now accepts a -t option which limits the report + to those log records generated today. - In all other cases, 'debug' and 'trace' remain synonymous. In - particular, users of Shorewall-shell will see no change in - behavior. +5) A DONT_LOAD option has been added to shorewall.conf. If there are + kernel modules that you don't wish to have loaded, you can list + them in this entry as a comma-separated list. - WARNING: The 'debug' feature in Shorewall-perl is strictly for - problem analysis. When 'debug' is used: + Example: - a) The firewall is made 'wide open' before the rules are applied. - b) The routestopped file is not consulted and the rules are applied - in the canonical iptables-restore order (ASCIIbetical by chain). - So if you need critical hosts to be always available during - start/restart, you may not be able to use 'debug'. + DONT_LOAD=nf_conntrack_sip,nf_nat_sip -7) /usr/share/shorewall-perl/buildports.pl, - /usr/share/shorewall-perl/FallbackPorts.pm and - /usr/share/shorewall-perl/Shorewall/Ports.pm have been removed. +6) Shorewall-perl now supports the --random option of the iptables + SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that + iptables support for this option is currently broken for the DNAT + and REDIRECT targets; I've sent a patch to the Netfilter team. - Shorewall now resolves protocol and port names as using Perl's - interface to the the standard C library APIs getprotobyname() and - getservbyname(). + For MASQUERADE, simply place the word 'random' in the ADDRESS + column. This causes Netfilter to randomize the source port seen by + the remote host. - Note 1: + Example: - The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL', - 'icmp' and 'ICMP' are still resolved by Shorewall-perl - itself. + #INTERFACE SOURCE ADDRESS + eth0 eth1 random - Note 2: + For SNAT, follow the port list by ":random". - Those of you running Shorewall-perl under Cygwin may wish to - install "real" /etc/protocols and /etc/services files - in place of the symbolic links installed by Cygwin. + Example: -8) The contents of the Shorewall::*::$VERSION variables are now a - V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is - only of interest for Perl programs that are using the modules and - specifying a minimum version (e.g., "use Shorewall::Config - 4.0.5;"). Each module continues to carry a separate version which - indicates the release of Shorewall-perl when the module was last - modified. + #INTERFACE SOURCE ADDRESS + eth0 eth1 206.124.146.179:10000-10999:random + + For DNAT, follow the port list by ":random". + + Example: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + DNAT net loc:192.168.1.4:40-50:random tcp 22 + + For REDIRECT, you must use the fully-qualified form of the DEST: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + REDIRECT net $FW::40-50:random tcp 22 + + Note that ':random' is only effective with SNAT, DNAT and REDIRECT + when a port range is specified in the ADDRESS/DEST column. It is + ignored by iptables/iptables-restore otherwise. Migration Considerations: @@ -807,6 +827,7 @@ Migration Considerations: - Perl File::Temp Module - Perl Getopt::Long Module - Perl FindBin Module + - Perl Scaler::Util Module ------------------------------------------------------------------------ U S I N G T H E N E W C O M P I L E R ------------------------------------------------------------------------ @@ -978,17 +999,6 @@ Migration Considerations: /usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall - Note: For compatibility with the Shorewall 3.4.2 and 3.4.3 - releases, options not passed on the run-line get their values from - environmental variables: - - Option Variable - - --verbosity VERBOSE - --export EXPORT - --directory SHOREWALL_DIR - --timestamp TIMESTAMP - The Perl Module is externalized as follows: use lib '/usr/share/shorewall-perl'; @@ -1013,6 +1023,7 @@ Migration Considerations: EXPORT = 0x01 TIMESTAMP = 0x02 + DEBUG = 0x04 $chains - A comma-separated list of chains that the generated script's 'refresh' command will @@ -1071,194 +1082,342 @@ Migration Considerations: (compiler, shorewall-common and shorewall-lite) must be version 4.0.0-RC2 or later. -Problems corrected in 4.0.1. +Problems corrected in Shorewall 4.0.5. -1) The Shorewall Lite installer was producing an empty shorewall-lite - manpage. Since the installer runs as part of creating the RPM, the - RPM also suffered from this problem. The 4.0.0 Shorewall-lite - packages were re-uploaded with this problem corrected. +1) Previously, Shorewall-perl misprocessed $FW:: in the DEST + column of a REDIRECT rule, generating an error. '$FW::' now + produces the same effect as ''. -2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall - rather than /sbin/shorewall-lite. +2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE + PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected + the entry with the error: -3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall - clear" if Shorewall [Lite] was running. Now, the Shorewall Lite - uninstaller correctly does "shorewall-lite clear" and both - uninstallers only perform the 'clear' operation if the other - product is not installed. This prevents the removal of one of the - two products from clearing the firewall configuration established - by the other one. + ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules -4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by - Shorewall-perl. If the zone type was changed to 'ipsec' or - 'ipsec4' and the 'ipsec' option removed from the hosts file entry, - the configuration worked properly. + The rule was accepted if 'tcp' or 'udp' was used instead. -5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then - Shorewall-perl produced the following: +3) Shorewall-shell now removes any default bindings of ipsets before + attempting to reload them. Previously, default bindings were not + removed with the result that the ipsets could not be destroyed. - Compiling... - Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18. - ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18) +Other changes in Shorewall 4.0.5. -6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was - locating the binary using the PATH environmental variable rather - than the PATH setting in shorewall.conf. If no PATH was available - when Shorewall-perl was run and IPTABLES was not set in - shorewall.conf, the following messages were issued: +1) Two new options have been added to /etc/shorewall/hosts + (Shorewall-perl only). - Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054. - ERROR: Can't find iptables executable - ERROR: Shorewall restart failed + broadcast: Permits limited broadcast (destination 255.255.255.255) + to the zone. -7) If the "Mangle FORWARD Chain" capability was supported, entries in - the /etc/shorewall/ecn file would cause invalid iptables commands - to be generated. This problem occurred with both compilers. + destonly: Normally used with the Multi-cast range. Specifies that + traffic will be sent to the specified net(s) but that + no traffic will be received from the net(s). -8) Shorewall now starts at reboot after an upgrade from shorewall < - 4.0.0. Previously, Shorewall was not started automatically at - reboot after an upgrade using the RPM. + Example: -9) Shorewall-perl was generating invalid iptables-restore input when a - log level was specified with the dropBcast and allowBcast builtin - actions and when a log level followed by '!' was used with any - builtin actions. + wifi eth1:192.168.3.0/24 broadcast + wifi eth1:224.0.0.0/4 destonly -10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of - time in rate-limiting specifications. + In that example, limited broadcasts from the firewall with a source + IP in the 192.168.3.0/24 range will be acccepted as will multicasts + (with any source address). -11) Certain errors occurring during - start/restart/safe-start/safe-restart/try processing could cause - the lockfile to be left behind. This resulted in a 60-second delay - the next time one of these commands was run. +2) A MULTICAST option has been added to shorewall.conf. This option + will normally be set to 'No' (the default). It should be set to + 'Yes' under the following circumstances: -Other changes in Shorewall 4.0.1. + a) You have an interface that has parallel zones defined via + /etc/shorewall/hosts. + b) You want to forward multicast packets to two or more of those + parallel zones. -1) A new EXPAND_POLICIES option is added to shorewall.conf. The - option is recognized by Shorewall-perl and is ignored by - Shorewall-shell. + In such cases, you will configure a 'destonly' network on each + zone receiving multicasts. - Normally, when the SOURCE or DEST columns in shorewall-policy(5) - contains 'all', a single policy chain is created and the policy is - enforced in that chain. For example, if the policy entry is + The MULTICAST option is only recognized by Shorewall-perl and is + ignored by Shorewall-shell. - #SOURCE DEST POLICY LOG - # LEVEL - net all DROP info +3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl + no longer supports the 'detectnets' option. Specifying that option + now results in the following message: - then the chain name is 'net2all' which is also the chain named in - Shorewall log messages generated as a result of the policy. If - EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate - chain for each pair of zones covered by the policy. This makes the - resulting log messages easier to interpret since the chain in the - messages will have a name of the form 'a2b' where 'a' is the SOURCE - zone and 'b' is the DEST zone. See - http://linuxman.wikispaces.com/PPPPPPS for more information. + WARNING: Support for the 'detectnets' option has been removed -2) The Shorewall-perl dependency on the "Address Type Match" - capability has been relaxed. This allows Shorewall 4.0.1 to be used - on releases like RHEL4 that don't support that capability. + It is suggested that 'detectnets' be replaced by + 'routefilter,logmartians'. That will produce the same filtering + effect as 'detectnets' while eliminating 1-2 rules per connection. -3) Shorewall-perl now detects dead policy file entries that result - when an entry is masked by an earlier entry. Example: + One user has asked how to retain the output of 'shorewall show + zones' if the 'detectnets' option is removed. While I don't advise + doing so, you can reproduce the current 'shorewall show' behavior + as follows. - all all REJECT info - loc net ACCEPT + Suppose that you have a zone named 'wifi' that produces the + following output with 'detectnets': -4) Recent kernels are apparently hard to configure and we have been - seeing a lot of problem reports where the root cause is the lack of - state match support in the kernel. This problem is difficult to - diagnose when using Shorewall-perl so the generated shell program - now checks specifically for this problem and terminates with an - error if the capability doesn't exist. + wifi (ipv4) + eth1:192.168.3.0/24 + + You can reproduce this behavior as follows: -Problems corrected in 4.0.2 + /etc/shorewall/interfaces: -1) The Shorewall-perl compiler was still generating invalid - iptables-restore input from entries in /etc/shorewall/ecn. + - eth1 detect ... -2) When using Shorewall-perl, unless an interface was specified as - 'optional' in the interfaces file, the 'restore' command would - fail if the routes through the interface or the addresses on the - interface could not be detected. + /etc/shorewall/hosts: - Route detection occurs when the interface is named in the SOURCE - column of the masq file. Address detection occurs when - DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT - or REDIRECT rule or when 'maclist' is specified for the interface. - - Since the 'restore' command doesn't use the detected information, - detection is now skipped if the command is 'restore'. + wifi eth1:192.168.3.0/24 broadcast -3) It was not previously possible to define traffic shaping on a - bridge port; the generated script complained that the - interface was not up and configured. + If you send multicast to the 'wifi' zone, you also need this entry + in your hosts file: -4) When Shorewall-shell was not installed, certain options in - /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the - 'add' and 'delete' commands to fail with a missing library error. + wifi eth1:224.0.0.0/4 destonly - OPTION FILE - maclist interfaces,hosts - proxyarp interfaces +4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule + may now be specified as a service name from + /etc/services. Additionally: -5) The /var/lib/shorewall/zones file was being overwritten during - processing of the 'refresh' command by a script generated with - Shorewall-perl. The result was that hosts previously added to - dynamic zones could not be deleted after the 'refresh'. + a) A port-range may be specified as the service port expressed in + the format -. Connections are assigned to + server ports in round-robin fashion. -6) If the file named as the output file in a Shorewall-perl 'compile' - command was a symbolic link, the generated error message - erroneously stated that the file's parent directory was a symbolic - link. + b) The compiler only permits a server port to be specified if the + protocol is tcp or udp. - As part of this change, cosmetic changes were made to a number of - other error messages. + c) The compiler ensures that the server IP address is valid (note + that it is still not permitted to specify the server address as a + DNS name). -7) Some intra-zone rules were missing when a zone involved multiple - interfaces or when a zone included both IPSEC and non-IPSEC - networks. +5) (Shorewall-perl only) Users are complaining that when they migrate + to Shorewall-perl, they have to restrict their port lists to 15 + ports. In this release, we relax that restriction on destination + port lists. Since the SOURCE PORT(s) column in the configuration + files is rarely used, we have no plans to relax the restriction in + that column. -8) Shorewall was not previously loading the xt_multiport kernel - module. +6) There have been several cases where iptables-restore has failed + while executing a COMMIT command in the .iptables_restore_input + file. This gives neither the user nor Shorewall support much to go + on when analyzing the problem. As a new debugging aid, the meaning + of 'trace' and 'debug' have been changed. -9) The Russian and French translations no longer have English headings - on notes, cautions, etc.. + Traditionally, /sbin/shorewall and /sbin/shorewall-lite have + allowed either 'trace' or 'debug' as the first run-line + parameter. Prior to 4.0.5, the two words produced the same effect. -10) Previously, using a port list in the DEST PORT(S) column of the - rules file or in an action file could cause an invalid iptables - command to be generated by Shorewall-shell. + Beginning with Shorewall 4.0.5, the two words have different + effects when Shorewall-perl is used. -11) If there were no bridges in a configuration, Shorewall-perl would - ignore the CHAIN column in /etc/shorewall/accounting. + trace - Like the previous behavior. -Other changes in 4.0.2 + In the Shorewall-perl compiler, generate a stack trace + on WARNING and ERROR messages. -1) Shorewall-perl now detects when a port range is included in a list - of ports and iptables/kernel support for Extended Multi-port Match - is not available. This avoids an iptables-restore failure at - run-time. + In the generated script, sets the shell's -x option to + trace execution of the script. -2) Most chains created by Shorewall-shell have names that can be - embedded within shell variable names. This is a workaround for - limitations in the shell programming language which has no - equivalent to Perl hashes. Often chain names must have the name of - a network interface encoded in them. Given that interface names can - contain characters that are invalid in a shell variable name, - Shorewall-shell performs a name mapping which was carried forward to - Shorewall-perl: + debug - Ignored by the Shorewall-perl compiler. - - Trailing '+' is dropped. - - The characters ".", "-", "%' and "@" are translated to "_". + In the generated script, causes the commands in + .iptables_restore_input to be executed as discrete iptables + commands. The failing command can thus be identified and a + diagnosis of the cause can be made. - This mapping has been elminated in the 4.0.2 release of Shorewall- - perl. So where before you would see chain "eth0_0_in", you may now - see the same chain named "eth0.0_in". Similarly, a chain previously - named "ppp_fwd" may now be called "ppp+_fwd". + Users of Shorewall-lite will see the following change when using a + script that was compiled with Shorewall-perl 4.0.5 or later. -3) Shorewall-perl now uses the contents of the BROADCAST column in - /etc/shorewall/interfaces when the Address Type match capability is - not available. + trace - In the generated script, sets the shell's -x option to + trace execution of the script. + + debug - In the generated script, causes the commands in + .iptables_restore_input to be executed as discrete iptables + commands. The failing command can thus be identified and a + diagnosis of the cause can be made. + + In all other cases, 'debug' and 'trace' remain synonymous. In + particular, users of Shorewall-shell will see no change in + behavior. + + WARNING: The 'debug' feature in Shorewall-perl is strictly for + problem analysis. When 'debug' is used: + + a) The firewall is made 'wide open' before the rules are applied. + b) The routestopped file is not consulted and the rules are applied + in the canonical iptables-restore order (ASCIIbetical by chain). + So if you need critical hosts to be always available during + start/restart, you may not be able to use 'debug'. + +7) /usr/share/shorewall-perl/buildports.pl, + /usr/share/shorewall-perl/FallbackPorts.pm and + /usr/share/shorewall-perl/Shorewall/Ports.pm have been removed. + + Shorewall now resolves protocol and port names as using Perl's + interface to the the standard C library APIs getprotobyname() and + getservbyname(). + + Note 1: + + The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL', + 'icmp' and 'ICMP' are still resolved by Shorewall-perl + itself. + + Note 2: + + Those of you running Shorewall-perl under Cygwin may wish to + install "real" /etc/protocols and /etc/services files + in place of the symbolic links installed by Cygwin. + +8) The contents of the Shorewall::*::$VERSION variables are now a + V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is + only of interest for Perl programs that are using the modules and + specifying a minimum version (e.g., "use Shorewall::Config + 4.0.5;"). Each module continues to carry a separate version which + indicates the release of Shorewall-perl when the module was last + modified. + +Problems Corrected in Shorewall 4.0.4 + +1) If no interface had the 'blacklist' option, then when using + Shorewall-perl, the 'start' and 'restart' command failed: + + ERROR: No filter chain found with name blacklst + + New Shorewall-perl 4.0.3 packages were released that corrected this + problem; it is included here for completeness. + +2) If no interface had the 'blacklist' option, then when using + Shorewall-perl, the generated script would issue this harmless + message during 'shorewall refresh': + + chainlist_reload: Not found + +3) If /bin/sh was a light-weight shell such as ash or dash, then + 'shorewall refresh' failed. + +4) During start/restart, the script generated by Shorewall-perl was + clearing the proxy_arp flag on all interfaces; that is not the + documented behavior. + +5) If the module-init-tools package was not installed and + /etc/shorewall/modules did not exist or was non-empty, then + Shorewall-perl would fail with the message: + + ERROR: Can't run lsmod : /etc/shorewall/modules (line 0) + +6) Shorewall-perl now makes a compile-time check to insure that + iptables-restore exists and is executable. This check is made when + the compiler is being run by root and the -e option is not + given. + + Note that iptables-restore must reside in the same directory as the + iptables executable specified by IPTABLES in shorewall.conf or + located by the PATH in the event that IPTABLES is not specified. + +7) When using Shorewall-perl, if an action was invoked with more than + 10 different combinations of log-levels/tags, some of those + invocations would have incorrect logging. + +8) Previously, when 'shorewall restore' was executed, the + iptables-restore utility was always located using the PATH setting + rather than the IPTABLES setting. + + With Shorewall-perl, the IPTABLES setting is now used to locate + this utility during 'restore' as it is during the processing of + other commands. + +9) Although the shorewall.conf manpage indicates that the value + 'internal' is allowed for TC_ENABLED, that value was previously + rejected ('Internal' was accepted). + +10) The meaning of the 'loose' provider option was accidentally reversed + in Shorewall-perl. Rather than causing certain routing rules to be + omitted when specified, it actually caused them to be added (these + rules were omitted when the option was NOT specified). + +11) If the 'bridge' option was specified on an interface but there were + no bport zones, then traffic originating on the firewall was not + passed through the accounting chain. + +12) In commands such as: + + shorewall compile + shorewall restart + shorewall check + + if the name of the contained a period ("."), then + Shorewall-perl would incorrectly substitute the current working + directory for the name. + +13) Previously, if the following sequence of routing rules was + specified, then the first rule would always be omitted. + + #SOURCE DEST PROVIDER PRIORITY + $SRC_A $DESTIP1 ISP1 1000 + $SRC_A $DESTIP2 SOMEISP 1000 + $SRC_A - ISP2 1000 + + The reason for this omission was that Shorewall uses a + delete-before-add approach and attempting to delete the third rule + resulted in the deletion of the first one instead. + + This problem occurred with both compilers. + +14) When using Shorewall-shell, provider numbers were not recognized in + the PROVIDER column of /etc/shorewall/route_rules. + +15) An off-by-one problem in Shorewall-perl caused the value 255 to be + rejected in the MARK column of /etc/shorewall/tcclasses. + +16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a + multiple of 256. That restriction was being enforced by + Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also + enforces this restriction. + +17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT) + failed with an "Unknown interface" error when using Shorewall-perl. + +Other Changes in Shorewall 4.0.4 + +1) The detection of 'Repeat Match' has been improved. 'Repeat Match' + is not a match at all but rather is a feature of recent versions of + iptables that allows a particular match to be used multiple times + within a single rule. + + Example: + + -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ... + + When using Shorewall-shell, the availability of 'Repeat Match' can + speed up compilation very slightly. + +2) Apparently recent Fedora releases are broken. The + following sequence of commands demonstrates the problem: + + ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5 + ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main + ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000 + + The third command should fail but doesn't; instead, it incorrectly + removes the rule added by the first command. + + To work around this issue, you can set DELETE_THEN_ADD=No in + shorewall.conf which prevents Shorewall from deleting ip rules + before attempting to add a similar rule. + +3) When using Shorewall-perl, the following message is now issued if + the 'detectnets' option is specified in /etc/shorewall/interfaces: + + WARNING: Support for the 'detectnets' option will be removed from + Shorewall-perl in version 4.0.5; better to use 'routefilter' and + 'logmartians + + The 'detect' options has always been rather silly. On input, it + duplicates the function of 'routefilter'. On output, it is a no-op + since traffic that doesn't match a route out of an interface won't + be sent through that interface (duh!). + + Beginning with Shorewall 4.0.5, the warning message will read: + + WARNING: Support for the 'detectnets' option has been removed Problems Corrected in 4.0.3 @@ -1468,148 +1627,191 @@ Other Changes in 4.0.3 This feature requires Shorewall-perl 4.0.3 as well as Shorewall-common 4.0.3. -Problems Corrected in Shorewall 4.0.4 +Problems corrected in 4.0.2 -1) If no interface had the 'blacklist' option, then when using - Shorewall-perl, the 'start' and 'restart' command failed: +1) The Shorewall-perl compiler was still generating invalid + iptables-restore input from entries in /etc/shorewall/ecn. - ERROR: No filter chain found with name blacklst +2) When using Shorewall-perl, unless an interface was specified as + 'optional' in the interfaces file, the 'restore' command would + fail if the routes through the interface or the addresses on the + interface could not be detected. - New Shorewall-perl 4.0.3 packages were released that corrected this - problem; it is included here for completeness. + Route detection occurs when the interface is named in the SOURCE + column of the masq file. Address detection occurs when + DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT + or REDIRECT rule or when 'maclist' is specified for the interface. + + Since the 'restore' command doesn't use the detected information, + detection is now skipped if the command is 'restore'. -2) If no interface had the 'blacklist' option, then when using - Shorewall-perl, the generated script would issue this harmless - message during 'shorewall refresh': +3) It was not previously possible to define traffic shaping on a + bridge port; the generated script complained that the + interface was not up and configured. - chainlist_reload: Not found +4) When Shorewall-shell was not installed, certain options in + /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the + 'add' and 'delete' commands to fail with a missing library error. -3) If /bin/sh was a light-weight shell such as ash or dash, then - 'shorewall refresh' failed. + OPTION FILE + maclist interfaces,hosts + proxyarp interfaces -4) During start/restart, the script generated by Shorewall-perl was - clearing the proxy_arp flag on all interfaces; that is not the - documented behavior. +5) The /var/lib/shorewall/zones file was being overwritten during + processing of the 'refresh' command by a script generated with + Shorewall-perl. The result was that hosts previously added to + dynamic zones could not be deleted after the 'refresh'. -5) If the module-init-tools package was not installed and - /etc/shorewall/modules did not exist or was non-empty, then - Shorewall-perl would fail with the message: +6) If the file named as the output file in a Shorewall-perl 'compile' + command was a symbolic link, the generated error message + erroneously stated that the file's parent directory was a symbolic + link. - ERROR: Can't run lsmod : /etc/shorewall/modules (line 0) + As part of this change, cosmetic changes were made to a number of + other error messages. -6) Shorewall-perl now makes a compile-time check to insure that - iptables-restore exists and is executable. This check is made when - the compiler is being run by root and the -e option is not - given. +7) Some intra-zone rules were missing when a zone involved multiple + interfaces or when a zone included both IPSEC and non-IPSEC + networks. - Note that iptables-restore must reside in the same directory as the - iptables executable specified by IPTABLES in shorewall.conf or - located by the PATH in the event that IPTABLES is not specified. +8) Shorewall was not previously loading the xt_multiport kernel + module. -7) When using Shorewall-perl, if an action was invoked with more than - 10 different combinations of log-levels/tags, some of those - invocations would have incorrect logging. +9) The Russian and French translations no longer have English headings + on notes, cautions, etc.. -8) Previously, when 'shorewall restore' was executed, the - iptables-restore utility was always located using the PATH setting - rather than the IPTABLES setting. +10) Previously, using a port list in the DEST PORT(S) column of the + rules file or in an action file could cause an invalid iptables + command to be generated by Shorewall-shell. - With Shorewall-perl, the IPTABLES setting is now used to locate - this utility during 'restore' as it is during the processing of - other commands. +11) If there were no bridges in a configuration, Shorewall-perl would + ignore the CHAIN column in /etc/shorewall/accounting. -9) Although the shorewall.conf manpage indicates that the value - 'internal' is allowed for TC_ENABLED, that value was previously - rejected ('Internal' was accepted). +Other changes in 4.0.2 -10) The meaning of the 'loose' provider option was accidentally reversed - in Shorewall-perl. Rather than causing certain routing rules to be - omitted when specified, it actually caused them to be added (these - rules were omitted when the option was NOT specified). +1) Shorewall-perl now detects when a port range is included in a list + of ports and iptables/kernel support for Extended Multi-port Match + is not available. This avoids an iptables-restore failure at + run-time. -11) If the 'bridge' option was specified on an interface but there were - no bport zones, then traffic originating on the firewall was not - passed through the accounting chain. +2) Most chains created by Shorewall-shell have names that can be + embedded within shell variable names. This is a workaround for + limitations in the shell programming language which has no + equivalent to Perl hashes. Often chain names must have the name of + a network interface encoded in them. Given that interface names can + contain characters that are invalid in a shell variable name, + Shorewall-shell performs a name mapping which was carried forward to + Shorewall-perl: -12) In commands such as: + - Trailing '+' is dropped. + - The characters ".", "-", "%' and "@" are translated to "_". - shorewall compile - shorewall restart - shorewall check + This mapping has been elminated in the 4.0.2 release of Shorewall- + perl. So where before you would see chain "eth0_0_in", you may now + see the same chain named "eth0.0_in". Similarly, a chain previously + named "ppp_fwd" may now be called "ppp+_fwd". - if the name of the contained a period ("."), then - Shorewall-perl would incorrectly substitute the current working - directory for the name. +3) Shorewall-perl now uses the contents of the BROADCAST column in + /etc/shorewall/interfaces when the Address Type match capability is + not available. -13) Previously, if the following sequence of routing rules was - specified, then the first rule would always be omitted. +Problems corrected in 4.0.1. - #SOURCE DEST PROVIDER PRIORITY - $SRC_A $DESTIP1 ISP1 1000 - $SRC_A $DESTIP2 SOMEISP 1000 - $SRC_A - ISP2 1000 +1) The Shorewall Lite installer was producing an empty shorewall-lite + manpage. Since the installer runs as part of creating the RPM, the + RPM also suffered from this problem. The 4.0.0 Shorewall-lite + packages were re-uploaded with this problem corrected. - The reason for this omission was that Shorewall uses a - delete-before-add approach and attempting to delete the third rule - resulted in the deletion of the first one instead. +2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall + rather than /sbin/shorewall-lite. - This problem occurred with both compilers. +3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall + clear" if Shorewall [Lite] was running. Now, the Shorewall Lite + uninstaller correctly does "shorewall-lite clear" and both + uninstallers only perform the 'clear' operation if the other + product is not installed. This prevents the removal of one of the + two products from clearing the firewall configuration established + by the other one. -14) When using Shorewall-shell, provider numbers were not recognized in - the PROVIDER column of /etc/shorewall/route_rules. +4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by + Shorewall-perl. If the zone type was changed to 'ipsec' or + 'ipsec4' and the 'ipsec' option removed from the hosts file entry, + the configuration worked properly. -15) An off-by-one problem in Shorewall-perl caused the value 255 to be - rejected in the MARK column of /etc/shorewall/tcclasses. +5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then + Shorewall-perl produced the following: -16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a - multiple of 256. That restriction was being enforced by - Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also - enforces this restriction. + Compiling... + Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18. + ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18) -17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT) - failed with an "Unknown interface" error when using Shorewall-perl. +6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was + locating the binary using the PATH environmental variable rather + than the PATH setting in shorewall.conf. If no PATH was available + when Shorewall-perl was run and IPTABLES was not set in + shorewall.conf, the following messages were issued: -Other Changes in Shorewall 4.0.4 + Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054. + ERROR: Can't find iptables executable + ERROR: Shorewall restart failed -1) The detection of 'Repeat Match' has been improved. 'Repeat Match' - is not a match at all but rather is a feature of recent versions of - iptables that allows a particular match to be used multiple times - within a single rule. +7) If the "Mangle FORWARD Chain" capability was supported, entries in + the /etc/shorewall/ecn file would cause invalid iptables commands + to be generated. This problem occurred with both compilers. - Example: +8) Shorewall now starts at reboot after an upgrade from shorewall < + 4.0.0. Previously, Shorewall was not started automatically at + reboot after an upgrade using the RPM. - -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ... +9) Shorewall-perl was generating invalid iptables-restore input when a + log level was specified with the dropBcast and allowBcast builtin + actions and when a log level followed by '!' was used with any + builtin actions. - When using Shorewall-shell, the availability of 'Repeat Match' can - speed up compilation very slightly. +10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of + time in rate-limiting specifications. -2) Apparently recent Fedora releases are broken. The - following sequence of commands demonstrates the problem: +11) Certain errors occurring during + start/restart/safe-start/safe-restart/try processing could cause + the lockfile to be left behind. This resulted in a 60-second delay + the next time one of these commands was run. - ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5 - ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main - ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000 +Other changes in Shorewall 4.0.1. - The third command should fail but doesn't; instead, it incorrectly - removes the rule added by the first command. +1) A new EXPAND_POLICIES option is added to shorewall.conf. The + option is recognized by Shorewall-perl and is ignored by + Shorewall-shell. - To work around this issue, you can set DELETE_THEN_ADD=No in - shorewall.conf which prevents Shorewall from deleting ip rules - before attempting to add a similar rule. + Normally, when the SOURCE or DEST columns in shorewall-policy(5) + contains 'all', a single policy chain is created and the policy is + enforced in that chain. For example, if the policy entry is -3) When using Shorewall-perl, the following message is now issued if - the 'detectnets' option is specified in /etc/shorewall/interfaces: + #SOURCE DEST POLICY LOG + # LEVEL + net all DROP info - WARNING: Support for the 'detectnets' option will be removed from - Shorewall-perl in version 4.0.5; better to use 'routefilter' and - 'logmartians + then the chain name is 'net2all' which is also the chain named in + Shorewall log messages generated as a result of the policy. If + EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate + chain for each pair of zones covered by the policy. This makes the + resulting log messages easier to interpret since the chain in the + messages will have a name of the form 'a2b' where 'a' is the SOURCE + zone and 'b' is the DEST zone. See + http://linuxman.wikispaces.com/PPPPPPS for more information. - The 'detect' options has always been rather silly. On input, it - duplicates the function of 'routefilter'. On output, it is a no-op - since traffic that doesn't match a route out of an interface won't - be sent through that interface (duh!). +2) The Shorewall-perl dependency on the "Address Type Match" + capability has been relaxed. This allows Shorewall 4.0.1 to be used + on releases like RHEL4 that don't support that capability. - Beginning with Shorewall 4.0.5, the warning message will read: +3) Shorewall-perl now detects dead policy file entries that result + when an entry is masked by an earlier entry. Example: - WARNING: Support for the 'detectnets' option has been removed + all all REJECT info + loc net ACCEPT +4) Recent kernels are apparently hard to configure and we have been + seeing a lot of problem reports where the root cause is the lack of + state match support in the kernel. This problem is difficult to + diagnose when using Shorewall-perl so the generated shell program + now checks specifically for this problem and terminates with an + error if the capability doesn't exist. diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall index 8c3290386..275a34c1f 100755 --- a/Shorewall-common/shorewall +++ b/Shorewall-common/shorewall @@ -62,6 +62,7 @@ # shorewall show tc Display traffic control info # shorewall show classifiers Display classifiers # shorewall show capabilities Display iptables/kernel capabilities +# shorewall show vardir Display the VARDIR setting. # shorewall version Display the installed version id # shorewall check [ -e ] [ ] Dry-run compilation. # shorewall try [ ] Try a new configuration and if @@ -1283,7 +1284,7 @@ usage() # $1 = exit status echo " export [ -C {shell|perl} ] [ ] [@][:]" echo " forget [ ]" echo " help" - echo " hits" + echo " hits [ -t ]" echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" @@ -1298,7 +1299,7 @@ usage() # $1 = exit status echo " restart [ -n ] [ -C {shell|perl} ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]" + echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]" echo " start [ -f ] [ -n ] [ -C {shell|perl} ] [ ]" echo " stop [ -f ]" echo " status" @@ -1633,8 +1634,8 @@ case "$COMMAND" in hits) get_config Yes No Yes [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - hits_command + shift + hits_command $@ ;; version) shift diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index 415ad0a78..38c0bcd9f 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.0.5 +%define version 4.0.6 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -153,6 +153,9 @@ fi %attr(0644,root,root) /usr/share/shorewall/macro.IPsec %attr(0644,root,root) /usr/share/shorewall/macro.IPsecah %attr(0644,root,root) /usr/share/shorewall/macro.IPsecnat +%attr(0644,root,root) /usr/share/shorewall/macro.Jabberd +%attr(0644,root,root) /usr/share/shorewall/macro.JabberPlain +%attr(0644,root,root) /usr/share/shorewall/macro.JabberSecure %attr(0644,root,root) /usr/share/shorewall/macro.Jetdirect %attr(0644,root,root) /usr/share/shorewall/macro.L2TP %attr(0644,root,root) /usr/share/shorewall/macro.LDAP @@ -240,6 +243,14 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Thu Nov 15 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-1 +* Sat Nov 10 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC3 +* Wed Nov 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC2 +* Thu Oct 25 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC1 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf index 5346ad8bc..873ea7bcc 100644 --- a/Shorewall-common/shorewall.conf +++ b/Shorewall-common/shorewall.conf @@ -171,6 +171,8 @@ DELETE_THEN_ADD=Yes MULTICAST=No +DONT_LOAD= + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index ff7c89f18..53a9dc807 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-lite/Makefile b/Shorewall-lite/Makefile index 6dbd0d90c..c30ccb88b 100644 --- a/Shorewall-lite/Makefile +++ b/Shorewall-lite/Makefile @@ -1,12 +1,11 @@ # Shorewall Lite Makefile to restart if firewall script is newer than last restart -VARDIR=/var/lib/shorewall-lite +VARDIR=$(shell /sbin/shorewall-lite show vardir) SHAREDIR=/usr/share/shorewall-lite RESTOREFILE?=.restore -include $(SHAREDIR)/configpath all: $(VARDIR)/${RESTOREFILE} -$(VARDIR)/${RESTOREFILE}: $(LITEDIR)/firewall +$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall @/sbin/shorewall-lite -q save >/dev/null; \ if \ /sbin/shorewall-lite -q restart >/dev/null 2>&1; \ diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 80c6422d8..73d7a231f 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index fa8ac7dd3..b7fc95e12 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 8d1baa0aa..61d3d16eb 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -49,6 +49,7 @@ # shorewall-lite show tc Display traffic control info # shorewall-lite show classifiers Display classifiers # shorewall-lite show capabilities Display iptables/kernel capabilities +# shorewall-lite show vardir Display VARDIR setting # shorewall-lite version Display the installed version id # shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall # messages. @@ -356,7 +357,7 @@ usage() # $1 = exit status echo " dump [ -x ]" echo " forget [ ]" echo " help" - echo " hits" + echo " hits [ -t ]" echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" @@ -368,7 +369,7 @@ usage() # $1 = exit status echo " restart [ -n ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|zones} ]" + echo " show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|vardir|zones} ]" echo " start [ -f ] [ -n ]" echo " stop" echo " status" @@ -597,8 +598,8 @@ case "$COMMAND" in ;; hits) [ -n "$debugging" ] && set -x - [ $# -eq 1 ] || usage 1 - hits_command + shift + hits_command $@ ;; version) echo $version Lite diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 6f7e2bbfe..919b8c6b5 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.0.5 +%define version 4.0.6 %define release 1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,14 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Thu Nov 15 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-1 +* Sat Nov 10 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC3 +* Wed Nov 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC2 +* Thu Oct 25 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC1 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 9990b22f5..690ea6a49 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index 23181af72..4b4b8cf6b 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -25,17 +25,17 @@ # package Shorewall::Accounting; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::Chains qw(:DEFAULT :internal); use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_accounting ); our @EXPORT_OK = qw( ); -our $VERSION = 4.0.3; +our $VERSION = 4.0.6; # # Initialize globals -- we take this novel approach to globals initialization to allow @@ -174,19 +174,14 @@ sub process_accounting_rule( $$$$$$$$$ ) { sub setup_accounting() { - my $first_entry = 1; - my $fn = open_file 'accounting'; + first_entry "$doing $fn..."; + while ( read_a_line ) { my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File'; - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - if ( $action eq 'COMMENT' ) { process_comment; } else { diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index b5f8b5e60..7c4236e00 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -25,9 +25,9 @@ # package Shorewall::Actions; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::Chains qw(:DEFAULT :internal); use strict; @@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels %macros ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.0.4; +our $VERSION = 4.0.6; # # Used Actions. Each action that is actually used has an entry with value 1. @@ -400,7 +400,7 @@ sub process_macro1 ( $$ ) { $targettype = 0 unless defined $targettype; fatal_error "Invalid target ($mtarget)" - unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ ) ); + unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) ); } progress_message " ..End Macro $macrofile"; @@ -418,7 +418,7 @@ sub process_action1 ( $$ ) { my $targettype = $targets{$target}; if ( defined $targettype ) { - return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE | NFQ ) ); + return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) ); fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD; @@ -640,7 +640,7 @@ sub process_action3( $$$$$ ) { if ( $action2type & ACTION ) { $target2 = (find_logactionchain ( $target = $target2 ))->{name}; } else { - fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ ); + fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ | CHAIN ); } } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 06c5d0673..2db7678bf 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -27,116 +27,127 @@ package Shorewall::Chains; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; use Shorewall::IPAddrs; - use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( STANDARD - NATRULE - BUILTIN - NONAT - NATONLY - REDIRECT - ACTION - MACRO - LOGRULE - NFQ - NO_RESTRICT - PREROUTE_RESTRICT - INPUT_RESTRICT - OUTPUT_RESTRICT - POSTROUTE_RESTRICT - ALL_RESTRICT - - process_comment - clear_comment - incr_cmd_level - decr_cmd_level - add_command - add_commands - mark_referenced +our @EXPORT = qw( add_rule insert_rule - chain_base - forward_chain - input_chain - output_chain - masq_chain - syn_flood_chain - mac_chain - macrecent_target - dynamic_fwd - dynamic_in - dynamic_out - dynamic_chains - dnat_chain - snat_chain - ecn_chain - first_chains new_chain - ensure_chain - ensure_filter_chain - ensure_mangle_chain - new_standard_chain - new_builtin_chain - initialize_chain_table - finish_section - setup_zone_mss - newexclusionchain - clearrule - validate_portrange - do_proto - mac_match - verify_mark - verify_small_mark - validate_mark - do_test - do_ratelimit - do_user - do_tos - match_source_dev - match_dest_dev - iprange_match - match_source_net - match_dest_net - match_orig_dest - match_ipsec_in - match_ipsec_out + new_manual_chain + ensure_manual_chain log_rule_limit - log_rule - expand_rule - addnatjump - insertnatjump - get_interface_address - get_interface_addresses - get_interface_bcasts - set_global_variables - create_netfilter_load - create_chainlist_reload %chain_table $nat_table $mangle_table $filter_table - $section - %sections - %targets ); -our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.0.5; + +our %EXPORT_TAGS = ( + internal => [ qw( STANDARD + NATRULE + BUILTIN + NONAT + NATONLY + REDIRECT + ACTION + MACRO + LOGRULE + NFQ + CHAIN + NO_RESTRICT + PREROUTE_RESTRICT + INPUT_RESTRICT + OUTPUT_RESTRICT + POSTROUTE_RESTRICT + ALL_RESTRICT + + add_command + add_commands + process_comment + clear_comment + incr_cmd_level + decr_cmd_level + chain_base + forward_chain + input_chain + output_chain + masq_chain + syn_flood_chain + mac_chain + macrecent_target + dynamic_fwd + dynamic_in + dynamic_out + dynamic_chains + dnat_chain + snat_chain + ecn_chain + first_chains + mark_referenced + ensure_chain + ensure_mangle_chain + new_standard_chain + new_builtin_chain + ensure_filter_chain + initialize_chain_table + finish_section + setup_zone_mss + newexclusionchain + clearrule + validate_port + proto_name + do_proto + mac_match + verify_mark + verify_small_mark + validate_mark + do_test + do_ratelimit + do_user + do_tos + match_source_dev + match_dest_dev + iprange_match + match_source_net + match_dest_net + match_orig_dest + match_ipsec_in + match_ipsec_out + log_rule + expand_rule + addnatjump + insertnatjump + get_interface_address + get_interface_addresses + get_interface_bcasts + set_global_variables + create_netfilter_load + create_chainlist_reload + $section + %sections + %targets + ) ], + ); + +Exporter::export_ok_tags('internal'); + +our $VERSION = 4.0.6; # # Chain Table # # %chain_table { => { => { name => # table =>
-# is_policy => 0|1 -# is_optional => 0|1 -# referenced => 0|1 -- If 1, will be written to the iptables-restore-input. -# builtin => 0|1 -- If 1, one of Netfilter's built-in chains. +# is_policy => undef|1 -- if 1, this is a policy chain +# is_optional => undef|1 -- See below. +# referenced => undef|1 -- If 1, will be written to the iptables-restore-input. +# builtin => undef|1 -- If 1, one of Netfilter's built-in chains. +# manual => undef|1 -- If 1, a manual chain. # log => # policy => # policychain => -- self-reference if this is a policy chain @@ -156,7 +167,7 @@ our $VERSION = 4.0.5; # } # # 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be -# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are optional. +# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with is_optional == 1. # # Only 'referenced' chains get written to the iptables-restore input. # @@ -186,6 +197,7 @@ use constant { STANDARD => 1, #defined by Netfilter MACRO => 128, #A Macro LOGRULE => 256, #'LOG' NFQ => 512, #'NFQUEUE' + CHAIN => 1024, #Manual Chain }; our %targets; @@ -423,6 +435,7 @@ sub add_rule($$;$) if ( ++$count == 15 ) { if ( $separator eq ':' ) { unshift @ports, $port, ':'; + chop $newports; last; } else { $newports .= $port; @@ -676,6 +689,22 @@ sub new_standard_chain($) { $chainref; } +sub new_manual_chain($) { + my $chain = $_[0]; + fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain}; + $targets{$chain} = CHAIN; + ( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1; + $chainref->{referenced} = 1; + $chainref; +} + +sub ensure_manual_chain($) { + my $chain = $_[0]; + my $chainref = $filter_table->{$chain} || new_manual_chain($chain); + fatal_error "$chain exists and is not a manual chain" unless $chainref->{manual}; + $chainref; +} + # # Add all builtin chains to the chain table # @@ -869,25 +898,6 @@ sub validate_portpair( $$ ) { } -sub validate_portrange( $$ ) { - my ($proto, $portpair) = @_; - - if ( $portpair =~ tr/-/-/ > 1 || substr( $portpair, 0, 1 ) eq '-' || substr( $portpair, -1, 1 ) eq '-' ) { - fatal_error "Invalid port range ($portpair)"; - } - - my @ports = split /-/, $portpair, 2; - - $_ = validate_port( proto_name( $proto ), $_) for ( @ports ); - - if ( @ports == 2 ) { - fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1]; - } - - join '-', @ports; - -} - sub validate_port_list( $$ ) { my $result = ''; my ( $proto, $list ) = @_; @@ -1208,7 +1218,11 @@ sub match_dest_dev( $ ) { my $interface = shift; my $interfaceref = find_interface( $interface ); if ( $interfaceref && $interfaceref->{options}{port} ) { - "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; + if ( $capabilities{PHYSDEV_BRIDGE} ) { + "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; + } else { + "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; + } } else { "-o $interface "; } diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index e1e70ed51..0d03eb06e 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -24,8 +24,8 @@ package Shorewall::Compiler; require Exporter; -use Shorewall::Config; -use Shorewall::Chains; +use Shorewall::Config qw(:DEFAULT :internal); +use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::Zones; use Shorewall::Policy; use Shorewall::Nat; @@ -41,7 +41,7 @@ use Shorewall::Proxyarp; our @ISA = qw(Exporter); our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); our @EXPORT_OK = qw( $export ); -our $VERSION = 4.0.4; +our $VERSION = 4.0.6; our $export; @@ -133,6 +133,8 @@ sub generate_script_1() { propagateconfig; + my @dont_load = split /,/, $config{DONT_LOAD}; + emit ( '[ -n "${COMMAND:=restart}" ]', '[ -n "${VERBOSE:=0}" ]', qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]), @@ -140,6 +142,7 @@ sub generate_script_1() { qq(VERSION="$globals{VERSION}") , qq(PATH="$config{PATH}") , 'TERMINATOR=fatal_error' , + qq(DONT_LOAD="@dont_load") , '' ); @@ -735,6 +738,10 @@ sub compiler( $$$$$ ) { generate_script_1; } + # + # Allow user to load Perl modules + # + run_user_exit1 'compile'; # # Process the zones file. # diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 0990b8ed5..cac30b969 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -36,65 +36,73 @@ use File::Basename; use File::Temp qw/ tempfile tempdir /; use Cwd qw(abs_path getcwd); use autouse 'Carp' => qw(longmess confess); +use Scalar::Util 'reftype'; our @ISA = qw(Exporter); # # Imported variables should be treated as read-only by importers # our @EXPORT = qw( - create_temp_object - finalize_object - emit - emit_unindented - save_progress_message - save_progress_message_short - set_timestamp - set_verbose - set_command + warning_message + fatal_error progress_message progress_message2 progress_message3 - push_indent - pop_indent - copy - create_temp_aux_config - finalize_aux_config - warning_message - fatal_error - set_shorewall_dir - set_debug - find_file - split_line - split_line1 - split_line2 - open_file - close_file - push_open - pop_open - read_a_line - validate_level - qt - ensure_config_path - get_configuration - require_capability - report_capabilities - propagateconfig - append_file - run_user_exit - run_user_exit1 - run_user_exit2 - generate_aux_config + ); - $command - $doing - $done - $currentline - %config - %globals - %capabilities ); +our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall); -our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path ); -our $VERSION = 4.0.5; +our %EXPORT_TAGS = ( internal => [ qw( create_temp_object + finalize_object + emit + emit_unindented + save_progress_message + save_progress_message_short + set_timestamp + set_verbose + set_command + push_indent + pop_indent + copy + create_temp_aux_config + finalize_aux_config + set_shorewall_dir + set_debug + find_file + split_line + split_line1 + split_line2 + first_entry + open_file + close_file + push_open + pop_open + read_a_line + validate_level + qt + ensure_config_path + get_configuration + require_capability + report_capabilities + propagateconfig + append_file + run_user_exit + run_user_exit1 + run_user_exit2 + generate_aux_config + + $command + $doing + $done + $currentline + %config + %globals + %capabilities + ) ] ); + +Exporter::export_ok_tags('internal'); + +our $VERSION = 4.0.6; # # describe the current command, it's present progressive, and it's completion. @@ -156,6 +164,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', USEPKTTYPE => 'Packet Type Match', POLICY_MATCH => 'Policy Match', PHYSDEV_MATCH => 'Physdev Match', + PHYSDEV_BRIDGE => 'Physdev-is-bridged support', LENGTH_MATCH => 'Packet length Match', IPRANGE_MATCH => 'IP Range Match', RECENT_MATCH => 'Recent Match', @@ -197,6 +206,10 @@ our $currentline; # Current config file line image our $currentfile; # File handle reference our $currentfilename; # File NAME our $currentlinenumber; # Line number +our $scriptfile; # File Handle Reference to current temporary file being written by an in-line Perl script +our $scriptfilename; # Name of that file. +our @tempfiles; # Files that need unlinking at END +our $first_entry; # Message to output or function to call on first non-blank line of a file our $shorewall_dir; # Shorewall Directory @@ -230,8 +243,8 @@ sub initialize() { ORIGINAL_POLICY_MATCH => '', LOGPARMS => '', TC_SCRIPT => '', - VERSION => '4.0.5', - CAPVERSION => 40003 , + VERSION => '4.0.6', + CAPVERSION => 40006 , ); # # From shorewall.conf file @@ -324,6 +337,7 @@ sub initialize() { KEEP_RT_TABLES => undef, DELETE_THEN_ADD => undef, MULTICAST => undef, + DONT_LOAD => '', # # Packet Disposition # @@ -344,6 +358,7 @@ sub initialize() { USEPKTTYPE => undef, POLICY_MATCH => undef, PHYSDEV_MATCH => undef, + PHYSDEV_BRIDGE => undef, LENGTH_MATCH => undef, IPRANGE_MATCH => undef, RECENT_MATCH => undef, @@ -385,6 +400,7 @@ sub initialize() { $currentfile = undef; # File handle reference $currentfilename = ''; # File NAME $currentlinenumber = 0; # Line number + $first_entry = 0; # Message to output or function to call on first non-blank file entry $shorewall_dir = ''; #Shorewall Directory @@ -403,11 +419,15 @@ sub warning_message my $linenumber = $currentlinenumber || 1; my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; + $| = 1; + if ( $debug ) { print STDERR longmess( " WARNING: @_$currentlineinfo" ); } else { print STDERR " WARNING: @_$currentlineinfo\n"; } + + $| = 0; } # @@ -416,10 +436,17 @@ sub warning_message sub fatal_error { my $linenumber = $currentlinenumber || 1; my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : ''; + $| = 1; confess " ERROR: @_$currentlineinfo" if $debug; die " ERROR: @_$currentlineinfo\n"; } +sub fatal_error1 { + $| = 1; + confess " ERROR: @_" if $debug; + die " ERROR: @_\n"; +} + # # Write the arguments to the object file (if any) with the current indentation. # @@ -792,6 +819,19 @@ sub open_file( $ ) { do_open_file $fname if -f $fname && -s _; } +# +# Pop the include stack +# +sub pop_include() { + my $arrayref = pop @includestack; + + if ( $arrayref ) { + ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref; + } else { + $currentfile = undef; + } +} + # # This function is normally called below in read_a_line() when EOF is reached. Clients of the # module may also call the function to close the file before EOF @@ -799,15 +839,14 @@ sub open_file( $ ) { sub close_file() { if ( $currentfile ) { - close $currentfile; + my $result = close $currentfile; - my $arrayref = pop @includestack; + pop_include; + + fatal_error "SHELL Script failed" unless $result; + + $first_entry = 0; - if ( $arrayref ) { - ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref; - } else { - $currentfile = undef; - } } } @@ -828,13 +867,143 @@ sub push_open( $ ) { sub pop_open() { @includestack = @{pop @openstack}; + pop_include; +} - my $arrayref = pop @includestack; +sub shorewall { + unless ( $scriptfile ) { + fatal_error "shorewall() may not be called in this context" unless $currentfile; - if ( $arrayref ) { - ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref; - } else { + $dir ||= '/tmp/'; + + eval { + ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir ); + }; + + fatal_error "Unable to create temporary file in directory $dir" if $@; + } + + print $scriptfile "@_\n"; +} + +# +# We don't announce that we are checking/compiling a file until we determine that the file contains +# at least one non-blank, non-commentary line. +# +# The argument to this function may be either a scalar or a function reference. When the first +# non-blank/non-commentary line is reached: +# +# - if a function reference was passed to first_entry(), that function is called +# - otherwise, the argument to first_entry() is passed to progress_message2(). +# +# We do this processing in read_a_line() rather than in the higher-level routines because +# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement +# until we get back to the caller of read_a_line(), we could issue error messages about parsing and +# running scripts in the file before we'd even indicated that we are processing it. +# +sub first_entry( $ ) { + $first_entry = $_[0]; + my $reftype = reftype $first_entry; + if ( $reftype ) { + fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE'; + } +} + +sub embedded_shell( $ ) { + my $multiline = shift; + + fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; + my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber ); + + if ( $multiline ) { + # + # Multi-line script + # + fatal_error "Invalid BEGIN SHELL directive" unless $currentline =~ /^\s*$/; + $command .= "\n"; + + my $last = 0; + + while ( <$currentfile> ) { + $currentlinenumber++; + last if $last = s/^\s*END(\s+SHELL)?\s*;?//; + $command .= $_; + } + + fatal_error ( "Missing END SHELL" ) unless $last; + fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/; + } + + $command .= q('); + + push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; + $currentfile = undef; + open $currentfile , '-|', $command or fatal_error qq(Shell Command failed); + $currentfilename = "SHELL\@$currentfilename:$currentlinenumber"; + $currentline = ''; + $currentlinenumber = 0; +} + +sub embedded_perl( $ ) { + my $multiline = shift; + + my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber ); + + if ( $multiline ) { + # + # Multi-line script + # + fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/; + $command .= "\n"; + + my $last = 0; + + while ( <$currentfile> ) { + $currentlinenumber++; + last if $last = s/^\s*END(\s+PERL)?\s*;?//; + $command .= $_; + } + + fatal_error ( "Missing END PERL" ) unless $last; + fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/; + } + + unless (my $return = eval $command ) { + if ( $@ ) { + # + # Perl found the script offensive or the script itself died + # + $@ =~ s/, <\$currentfile> line \d+//g; + fatal_error1 "$@"; + } + + unless ( defined $return ) { + fatal_error "Perl Script failed: $!" if $!; + fatal_error "Perl Script failed"; + } + + fatal_error "Perl Script Returned False"; + } + + if ( $scriptfile ) { + fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; + + close $scriptfile or fatal_error "Internal Error in embedded_perl()"; + + $scriptfile = undef; + + push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; $currentfile = undef; + + open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename"; + + push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin + + $scriptfilename = ''; + + $currentfilename = "PERL\@$currentfilename:$linenumber"; + $currentline = ''; + $currentlinenumber = 0; } } @@ -844,6 +1013,7 @@ sub pop_open() { # - Ignore blank or comment-only lines. # - Remove trailing comments. # - Handle Line Continuation +# - Handle embedded SHELL and PERL scripts # - Expand shell variables from $ENV. # - Handle INCLUDE # @@ -871,40 +1041,57 @@ sub read_a_line() { # Ignore ( concatenated ) Blank Lines # $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/; - # - # Expand Shell Variables using %ENV + # Line not blank -- Handle any first-entry message/capabilities check # - # $1 $2 $3 - $4 - while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) { - my $val = $ENV{$3}; - $val = '' unless defined $val; - $currentline = join( '', $1 , $val , $4 ); + if ( $first_entry ) { + reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry ); + $first_entry = 0; } - - if ( $currentline =~ /^\s*INCLUDE\s/ ) { - - my @line = split ' ', $currentline; - - fatal_error "Invalid INCLUDE command" if @line != 2; - fatal_error "INCLUDEs nested too deeply" if @includestack >= 4; - - my $filename = find_file $line[1]; - - fatal_error "INCLUDE file $filename not found" unless -f $filename; - fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; - - if ( -s _ ) { - push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; - $currentfile = undef; - do_open_file $filename; - } else { - $currentlinenumber = 0; - } - - $currentline = ''; + # + # Must check for shell/perl before doing variable expansion + # + if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) { + embedded_shell( $1 ); + } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) { + embedded_perl( $1 ); } else { - return 1; + my $count = 0; + # + # Expand Shell Variables using %ENV + # + # $1 $2 $3 - $4 + while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) { + my $val = $ENV{$3}; + $val = '' unless defined $val; + $currentline = join( '', $1 , $val , $4 ); + fatal_error "Variable Expansion Loop" if ++$count > 100; + } + + if ( $currentline =~ /^\s*INCLUDE\s/ ) { + + my @line = split ' ', $currentline; + + fatal_error "Invalid INCLUDE command" if @line != 2; + fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4; + + my $filename = find_file $line[1]; + + fatal_error "INCLUDE file $filename not found" unless -f $filename; + fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; + + if ( -s _ ) { + push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ]; + $currentfile = undef; + do_open_file $filename; + } else { + $currentlinenumber = 0; + } + + $currentline = ''; + } else { + return 1; + } } } @@ -1085,6 +1272,10 @@ sub load_kernel_modules( ) { if ( $moduleloader && open_file 'modules' ) { my %loadedmodules; + for ( split /,/, $config{DONT_LOAD} ) { + $loadedmodules{$_} = 1; + } + progress_message "Loading Modules..."; open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod"; @@ -1155,7 +1346,8 @@ sub determine_capabilities( $ ) { $capabilities{POLICY_MATCH} = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" ); if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) { - $capabilities{PHYSDEV_MATCH} = 1; + $capabilities{PHYSDEV_MATCH} = 1; + $capabilities{PHYSDEV_BRIDGE} = qt( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" ); unless ( $capabilities{KLUDGEFREE} ) { $capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); } @@ -1389,12 +1581,20 @@ sub get_configuration( $ ) { my $export = $_[0]; + our ( $once, @originalinc ); + + @originalinc = @INC unless $once++; + ensure_config_path; process_shorewall_conf; ensure_config_path; + @INC = @originalinc; + + unshift @INC, @config_path; + default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin'; default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz'; @@ -1641,10 +1841,17 @@ sub run_user_exit( $ ) { if ( -f $file ) { progress_message "Processing $file..."; - unless (my $return = eval `cat $file` ) { + my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`; + + unless (my $return = eval $command ) { fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file"; + + unless ( defined $return ) { + fatal_error "Couldn't do $file: $!" if $!; + fatal_error "Couldn't do $file"; + } + + fatal_error "$file returned a false value"; } } } @@ -1662,14 +1869,21 @@ sub run_user_exit1( $ ) { if ( read_a_line ) { close_file; - unless (my $return = eval `cat $file` ) { - fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file"; - } - } + my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`; - pop_open; + unless (my $return = eval $command ) { + fatal_error "Couldn't parse $file: $@" if $@; + + unless ( defined $return ) { + fatal_error "Couldn't do $file: $!" if $!; + fatal_error "Couldn't do $file"; + } + + fatal_error "$file returned a false value"; + } + } else { + pop_open; + } } } @@ -1688,8 +1902,13 @@ sub run_user_exit2( $$ ) { unless (my $return = eval `cat $file` ) { fatal_error "Couldn't parse $file: $@" if $@; - fatal_error "Couldn't do $file: $!" unless defined $return; - fatal_error "Couldn't run $file"; + + unless ( defined $return ) { + fatal_error "Couldn't do $file: $!" if $!; + fatal_error "Couldn't do $file"; + } + + fatal_error "$file returned a false value"; } } @@ -1733,10 +1952,17 @@ sub generate_aux_config() { } END { - if ( $object ) { - close $object; - unlink $tempfile; - } + # + # Close files first in case we're running under Cygwin + # + close $object if $object; + close $scriptfile if $scriptfile; + # + # Unlink temporary files + # + unlink $tempfile if $tempfile; + unlink $scriptfilename if $scriptfilename; + unlink $_ for @tempfiles; } 1; diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index 9f6f47ae6..3ddcd4fa6 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -25,10 +25,10 @@ # package Shorewall::Nat; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::IPAddrs; use strict; @@ -36,7 +36,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses ); our @EXPORT_OK = (); -our $VERSION = 4.0.3; +our $VERSION = 4.0.6; our @addresses_to_add; our %addresses_to_add; @@ -188,49 +188,60 @@ sub setup_one_masq($$$$$$$) my $detectaddress = 0; my $exceptionrule = ''; + my $randomize = ''; # # Parse the ADDRESSES column # if ( $addresses ne '-' ) { - if ( $addresses =~ /^SAME:nodst:/ ) { - $target = '-j SAME --nodst '; - $addresses =~ s/.*://; - for my $addr ( split /,/, $addresses ) { - $target .= "--to $addr "; - } - } elsif ( $addresses =~ /^SAME:/ ) { - $target = '-j SAME '; - $addresses =~ s/.*://; - for my $addr ( split /,/, $addresses ) { - $target .= "--to $addr "; - } - } elsif ( $addresses eq 'detect' ) { - my $variable = get_interface_address $interface; - $target = "-j SNAT --to-source $variable"; - - if ( interface_is_optional $interface ) { - add_commands( $chainref, - '', - "if [ \"$variable\" != 0.0.0.0 ]; then" ); - incr_cmd_level( $chainref ); - $detectaddress = 1; - } + if ( $addresses eq 'random' ) { + $randomize = '--random '; } else { - my $addrlist = ''; - for my $addr ( split /,/, $addresses ) { - if ( $addr =~ /^.*\..*\..*\./ ) { - $target = '-j SNAT '; - $addrlist .= "--to-source $addr "; - $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/; - } else { - $addr =~ s/^://; - $addrlist .= "--to-ports $addr "; - $exceptionrule = do_proto( $proto, '', '' ); - } - } + $addresses =~ s/:random$// and $randomize = '--random '; - $target .= $addrlist; + if ( $addresses =~ /^SAME:nodst:/ ) { + fatal_error "':random' is not supported by the SAME target" if $randomize; + $target = '-j SAME --nodst '; + $addresses =~ s/.*://; + for my $addr ( split /,/, $addresses ) { + $target .= "--to $addr "; + } + } elsif ( $addresses =~ /^SAME:/ ) { + fatal_error "':random' is not supported by the SAME target" if $randomize; + $target = '-j SAME '; + $addresses =~ s/.*://; + for my $addr ( split /,/, $addresses ) { + $target .= "--to $addr "; + } + } elsif ( $addresses eq 'detect' ) { + my $variable = get_interface_address $interface; + $target = "-j SNAT --to-source $variable"; + + if ( interface_is_optional $interface ) { + add_commands( $chainref, + '', + "if [ \"$variable\" != 0.0.0.0 ]; then" ); + incr_cmd_level( $chainref ); + $detectaddress = 1; + } + } else { + my $addrlist = ''; + for my $addr ( split /,/, $addresses ) { + if ( $addr =~ /^.*\..*\..*\./ ) { + $target = '-j SNAT '; + $addrlist .= "--to-source $addr "; + $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/; + } else { + $addr =~ s/^://; + $addrlist .= "--to-ports $addr "; + $exceptionrule = do_proto( $proto, '', '' ); + } + } + + $target .= $addrlist; + } } + + $target .= $randomize; } else { $add_snat_aliases = 0; } @@ -284,18 +295,12 @@ sub setup_one_masq($$$$$$$) # sub setup_masq() { - my $first_entry = 1; - my $fn = open_file 'masq'; + first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } ); + while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - require_capability( 'NAT_ENABLED' , 'a non-empty masq file' , 's' ); - $first_entry = 0; - } - my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file'; if ( $fullinterface eq 'COMMENT' ) { @@ -395,18 +400,12 @@ sub do_one_nat( $$$$$ ) # sub setup_nat() { - my $first_entry = 1; - my $fn = open_file 'nat'; + first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } ); + while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - require_capability( 'NAT_ENABLED' , 'a non-empty nat file', 's' ); - $first_entry = 0; - } - my ( $external, $interface, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file'; if ( $external eq 'COMMENT' ) { @@ -425,17 +424,11 @@ sub setup_nat() { # sub setup_netmap() { - my $first_entry = 1; - my $fn = open_file 'netmap'; - while ( read_a_line ) { + first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } ); - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' , 's' ); - $first_entry = 0; - } + while ( read_a_line ) { my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file'; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 4f10b0848..92a1ccda9 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -24,9 +24,9 @@ # package Shorewall::Policy; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::Chains qw( :DEFAULT :internal) ; use Shorewall::Actions; use strict; @@ -34,7 +34,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT_OK = qw( ); -our $VERSION = 4.0.5; +our $VERSION = 4.0.6; # @policy_chains is a list of references to policy chains in the filter table @@ -207,15 +207,10 @@ sub validate_policy() my $fn = open_file 'policy'; - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 3, 5, 'policy file'; $loglevel = '' if $loglevel eq '-'; diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index 383fea190..87c3b0ac6 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -27,9 +27,8 @@ # package Shorewall::Proc; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; -use Shorewall::Chains; use strict; @@ -42,7 +41,7 @@ our @EXPORT = qw( setup_forwarding ); our @EXPORT_OK = qw( ); -our $VERSION = 4.0.1; +our $VERSION = 4.0.6; # # ARP Filtering diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 2d434caad..16f1d31de 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -25,17 +25,17 @@ # package Shorewall::Providers; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::Chains qw(:DEFAULT :internal); use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_providers @routemarked_interfaces); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.0.3; +our $VERSION = 4.0.6; use constant { LOCAL_NUMBER => 255, MAIN_NUMBER => 254, @@ -83,8 +83,7 @@ INIT { # Set up marking for 'tracked' interfaces. Unlike in Shorewall 3.x, we add these rules unconditionally, even if the associated interface isn't up. # sub setup_route_marking() { - my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF'; - my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark'; + my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF'; require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' ); require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' ); @@ -96,7 +95,7 @@ sub setup_route_marking() { while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) { add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; - add_rule $chainref, " -i $interface -j MARK $mark_op $mark"; + add_rule $chainref, " -i $interface -j MARK --set-mark $mark"; } add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask"; @@ -476,17 +475,12 @@ sub setup_providers() { if ( $fn ) { - my $first_entry = 0; - + first_entry "$doing $fn..."; + emit ''; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file'; add_an_rtrule( $source, $dest, $provider , $priority ); diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index ad7c7af9f..82b9c7fbd 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -23,7 +23,7 @@ # package Shorewall::Proxyarp; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; use strict; @@ -35,7 +35,7 @@ our @EXPORT = qw( ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.0.1; +our $VERSION = 4.0.6; our @proxyarp; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 8c8936195..81333c34f 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -24,10 +24,10 @@ # package Shorewall::Rules; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::Actions; use Shorewall::Policy; use Shorewall::Proc; @@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos dump_rule_chains ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = 4.0.5; +our $VERSION = 4.0.6; # # Keep track of chains for the /var/lib/shorewall[-lite]/chains file @@ -95,20 +95,17 @@ sub process_tos() { if ( my $fn = open_file 'tos' ) { my $first_entry = 1; - + my ( $pretosref, $outtosref ); + first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } ); + while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $pretosref = ensure_chain 'mangle' , $chain; - $outtosref = ensure_chain 'mangle' , 'outtos'; - $first_entry = 0; - } - my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry'; + $first_entry = 0; + fatal_error "A value must be supplied in the TOS column" if $tos eq '-'; if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) { @@ -166,15 +163,10 @@ sub setup_ecn() if ( my $fn = open_file 'ecn' ) { - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry'; fatal_error "Unknown interface ($interface)" unless known_interface $interface; @@ -229,15 +221,10 @@ sub setup_rfc1918_filteration( $ ) { my $fn = open_file 'rfc1918'; - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ( $networks, $target ) = split_line 2, 2, 'rfc1918 file'; my $s_target; @@ -297,6 +284,8 @@ sub setup_blacklist() { if ( my $fn = open_file 'blacklist' ) { my $first_entry = 1; + + first_entry "$doing $fn..."; while ( read_a_line ) { @@ -307,7 +296,6 @@ sub setup_blacklist() { last BLACKLIST; } - progress_message2 "$doing $fn..."; $first_entry = 0; } @@ -353,17 +341,12 @@ sub process_criticalhosts() { my $fn = open_file 'routestopped'; - my $first_entry = 1; + first_entry "$doing $fn for critical hosts..."; while ( read_a_line ) { my $routeback = 0; - if ( $first_entry ) { - progress_message2 "$doing $fn for critical hosts..."; - $first_entry = 0; - } - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; fatal_error "Unknown interface ($interface)" unless known_interface $interface; @@ -399,17 +382,12 @@ sub process_routestopped() { my $fn = open_file 'routestopped'; - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { my $routeback = 0; - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file'; fatal_error "Unknown interface ($interface)" unless known_interface $interface; @@ -724,15 +702,10 @@ sub setup_mac_lists( $ ) { my $fn = open_file 'maclist'; - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ( $disposition, $interface, $mac, $addresses ) = split_line1 3, 4, 'maclist file'; if ( $disposition eq 'COMMENT' ) { @@ -937,7 +910,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { if ( $actiontype == MACRO ) { # - # Will call process_rule1() recursively for each rule in the macro body + # process_macro() will call process_rule1() recursively for each rule in the macro body # fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL; @@ -975,7 +948,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; } # - # We can now dispense with the postfix characters + # We can now dispense with the postfix character # $action =~ s/[\+\-!]$//; # @@ -992,7 +965,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # if ( $actiontype & REDIRECT ) { if ( $dest eq '-' ) { - $dest = firewall_zone; + $dest = join( '', firewall_zone, '::' , $ports =~ /[:,]/ ? '' : $ports ); } else { $dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /:/; } @@ -1050,6 +1023,11 @@ sub process_rule1 ( $$$$$$$$$$$ ) { } } + # + # For compatibility with older Shorewall versions + # + $origdest = ALLIPv4 if $origdest eq 'all'; + # # Take care of chain # @@ -1079,17 +1057,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # $chainref = ensure_filter_chain $chain, 1; # - # For compatibility with older Shorewall versions - # - $origdest = ALLIPv4 if $origdest eq 'all'; - # # Generate Fixed part of the rule # $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) ); unless ( $section eq 'NEW' ) { fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; - fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT; + fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); $rule .= "-m state --state $section " } @@ -1098,23 +1072,42 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # if ( $actiontype & NATRULE ) { my ( $server, $serverport ); - fatal_error "$target rules not allowed in the $section SECTION" if $section ne 'NEW'; + my $randomize = $dest =~ s/:random$// ? '--random ' : ''; + require_capability( 'NAT_ENABLED' , "$basictarget rules", '' ); # - # Isolate server port + # Isolate server port # if ( $dest =~ /^(.*)(:(.+))$/ ) { - $server = $1; - $serverport = validate_portrange $proto, $3; + # + # Server IP and Port + # + $server = $1; # May be empty + $serverport = $3; # Not Empty due to RE + if ( $serverport =~ /^(\d+)-(\d+)$/ ) { + # + # Server Port Range + # + fatal_error "Invalid port range ($serverport)" unless $1 < $2; + my @ports = ( $1, $2 ); + $_ = validate_port( proto_name( $proto ), $_) for ( @ports ); + ( $ports = $serverport ) =~ tr/-/:/; + } else { + $serverport = $ports = validate_port( proto_name( $proto ), $serverport ); + } + } elsif ( $dest eq ':' ) { + # + # Rule with no server IP or port ( zone:: ) + # + $server = $serverport = ''; } else { + # + # Simple server IP address (may be empty or "-") + # $server = $dest; $serverport = ''; } - # - # After DNAT, dest port will be the server port. Capture it here because $serverport gets modified below. - # - my $servport = $serverport ne '' ? $serverport : $ports; # # Generate the target # @@ -1122,7 +1115,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) { if ( $actiontype & REDIRECT ) { fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server; - $target = '-j REDIRECT --to-port ' . $servport; + $target = '-j REDIRECT '; + $target .= "--to-port $serverport " if $serverport; if ( $origdest eq '' || $origdest eq '-' ) { $origdest = ALLIPv4; } elsif ( $origdest eq 'detect' ) { @@ -1142,6 +1136,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) { if ( $action eq 'SAME' ) { fatal_error 'Port mapping not allowed in SAME rules' if $serverport; fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone; + fatal_error "':random' is not supported by the SAME target" if $randomize; + warning_message 'Netfilter support for SAME is being dropped in early 2008'; $target = '-j SAME '; for my $serv ( split /,/, $server ) { $target .= "--to $serv "; @@ -1165,6 +1161,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) { } } + $target .= $randomize; + # # And generate the nat table rule(s) # @@ -1180,14 +1178,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) { $serverport ? do_proto( $proto, '', '' ) : '' ); # # After NAT: - # - the destination port will be the server port - # - the destination IP will be the server IP + # - the destination port will be the server port ($ports) -- we did that above + # - the destination IP will be the server IP ($dest) # - there will be no log level (we log NAT rules in the nat table rather than in the filter table). # - the target will be ACCEPT. # unless ( $actiontype & NATONLY ) { - $servport =~ tr/-/:/ if $servport ne '-'; - $rule = join( '', do_proto( $proto, $servport, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) ); + $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) ); $loglevel = ''; $dest = $server; $action = 'ACCEPT'; @@ -1348,15 +1345,10 @@ sub process_rules() { my $fn = open_file 'rules'; - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line2 1, 10, 'rules file'; if ( $target eq 'COMMENT' ) { @@ -1398,7 +1390,7 @@ sub process_rules() { # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones). # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates. # -# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules. +# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules. # sub generate_matrix() { # @@ -1468,7 +1460,7 @@ sub generate_matrix() { } # - # Generate_Matrix() Starts Here + # G e n e r a t e _ M a t r i x ( ) S t a r t s H e r e # start_matrix; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 278675983..bf67f0390 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -29,9 +29,9 @@ # package Shorewall::Tc; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::Providers; use strict; @@ -39,7 +39,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = 4.0.5; +our $VERSION = 4.0.6; our %tcs = ( T => { chain => 'tcpost', connmark => 0, @@ -269,8 +269,6 @@ sub process_tc_rule( $$$$$$$$$$ ) { fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes' if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) <= 0xFF && $config{HIGH_ROUTE_MARKS}; - - $target =~ s/set-mark/or-mark/ if numeric_value( $cmd ) > 0xFF && ( $chain eq 'tcpre' || $chain eq 'tcout' ); } } @@ -408,15 +406,10 @@ sub setup_traffic_shaping() { my $fn = open_file 'tcdevices'; if ( $fn ) { - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ( $device, $inband, $outband ) = split_line 3, 3, 'tcdevices'; fatal_error "Invalid tcdevices entry" if $outband eq '-'; @@ -427,15 +420,10 @@ sub setup_traffic_shaping() { $fn = open_file 'tcclasses'; if ( $fn ) { - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file'; validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options ); @@ -550,8 +538,6 @@ sub setup_traffic_shaping() { # sub setup_tc() { - my $first_entry = 1; - if ( $capabilities{MANGLE_ENABLED} ) { ensure_mangle_chain 'tcpre'; ensure_mangle_chain 'tcout'; @@ -595,13 +581,9 @@ sub setup_tc() { if ( my $fn = open_file 'tcrules' ) { - while ( read_a_line ) { + first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } ); - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's' ); - $first_entry = 0; - } + while ( read_a_line ) { my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line1 2, 10, 'tcrules file'; diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 4bb1038ce..0ca265741 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -24,16 +24,17 @@ # package Shorewall::Tunnels; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::Zones; -use Shorewall::Chains; +use Shorewall::IPAddrs; +use Shorewall::Chains qw(:DEFAULT :internal); use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tunnels ); our @EXPORT_OK = ( ); -our $VERSION = 4.0.3; +our $VERSION = 4.0.6; # # Here starts the tunnel stuff -- we really should get rid of this crap... @@ -233,6 +234,8 @@ sub setup_tunnels() { my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; + $gateway = ALLIPv4 if $gateway eq '-'; + my $source = match_source_net $gateway; my $dest = match_dest_net $gateway; @@ -262,19 +265,14 @@ sub setup_tunnels() { progress_message " Tunnel \"$currentline\" $done"; } - my $first_entry = 1; - # # Setup_Tunnels() Starts Here # my $fn = open_file 'tunnels'; - while ( read_a_line ) { + first_entry "$doing $fn..."; - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } + while ( read_a_line ) { my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file'; diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 8bd6cb448..c62d7cc68 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -25,7 +25,7 @@ # package Shorewall::Zones; require Exporter; -use Shorewall::Config; +use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::IPAddrs; use strict; @@ -64,7 +64,7 @@ our @EXPORT = qw( NOTHING ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.0.5; +our $VERSION = 4.0.6; # # IPSEC Option types @@ -161,8 +161,8 @@ INIT { # Convert value to decimal number # sub numeric_value ( $ ) { - my $mark = $_[0]; - fatal_error "Invalid Numeric Value ($mark)" unless "\L$mark" =~ /^(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/; + my $mark = lc $_[0]; + fatal_error "Invalid Numeric Value ($mark)" unless $mark =~ /^(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/; $mark =~ /^0/ ? oct $mark : $mark; } @@ -245,15 +245,10 @@ sub determine_zones() my $fn = open_file 'zones'; - my $first_entry = 1; + first_entry "$doing $fn..."; while ( read_a_line ) { - if ( $first_entry ) { - progress_message2 "$doing $fn..."; - $first_entry = 0; - } - my @parents; my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; @@ -620,6 +615,7 @@ sub validate_interfaces_file( $ ) fatal_error "Invalid Interface Name ($interface)" if $interface eq '+'; if ( defined $port ) { + fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); require_capability( 'KLUDGEFREE', 'Bridge Ports', ''); fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index 47e31dc8b..de69a4563 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header index 5befe75cf..3090e6e10 100644 --- a/Shorewall-perl/prog.header +++ b/Shorewall-perl/prog.header @@ -177,7 +177,7 @@ loadmodule() # $1 = module name, $2 - * arguments local modulefile local suffix - if ! list_search $modulename $MODULES ; then + if ! list_search $modulename $DONT_LOAD $MODULES; then shift for suffix in $MODULE_SUFFIX ; do diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index 0428b17a5..9b497049f 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.0.5 +%define version 4.0.6 %define release 1 Summary: Shoreline Firewall Perl-based compiler. @@ -64,6 +64,14 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING releasenotes.txt %changelog +* Thu Nov 15 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-1 +* Sat Nov 10 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC3 +* Wed Nov 07 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC2 +* Thu Oct 25 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC1 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index 2454daf61..daf1d9798 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -5194,6 +5194,7 @@ __EOF__ LOCKFILE="$LOCKFILE" PATH="$PATH" TERMINATOR=fatal_error + DONT_LOAD="$DONT_LOAD" __EOF__ if [ -n "$IPTABLES" ]; then diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index 968c582b0..128d02eba 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.5 +VERSION=4.0.6 usage() # $1 = exit status { diff --git a/Shorewall-shell/lib.providers b/Shorewall-shell/lib.providers index a6ee6063d..198b8ff35 100644 --- a/Shorewall-shell/lib.providers +++ b/Shorewall-shell/lib.providers @@ -434,9 +434,9 @@ __EOF__ # setup_route_marking() { - local mask=0xFF mark_op="--set-mark" save_indent="$INDENT" + local mask=0xFF save_indent="$INDENT" - [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 && mark_op="--or-mark" + [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask @@ -450,7 +450,7 @@ setup_route_marking() save_command "if [ -n \"\$${iface}_up\" ]; then" INDENT="$INDENT " run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark - run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value + run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value INDENT="$save_indent" save_command "fi" done diff --git a/Shorewall-shell/lib.tcrules b/Shorewall-shell/lib.tcrules index 4ac17aa08..749c47ea3 100644 --- a/Shorewall-shell/lib.tcrules +++ b/Shorewall-shell/lib.tcrules @@ -340,7 +340,6 @@ process_tc_rule() if [ $((${mark%/*})) -gt 255 ]; then case $chain in tcpre|tcout) - target="MARK --or-mark" ;; *) fatal_error "Invalid mark value ($mark) in rule \"$rule\"" diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index e4bbd52c5..a02ef17da 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,5 +1,5 @@ %define name shorewall-shell -%define version 4.0.5 +%define version 4.0.6 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -81,6 +81,12 @@ fi %doc COPYING INSTALL %changelog +* Thu Nov 15 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-1 +* Sat Nov 10 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC3 +* Thu Oct 25 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.6-0RC2 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 19007baf0..451a1b7bf 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -39,7 +39,9 @@ href="#Glossary">Glossary


Important Notice to users of Shorewall Multi-ISP -Feature
+Feature -- UPDATED 7 November 2007

+ +


Leaf
OpenWRT
Donations

@@ -207,6 +209,8 @@ patching file compiler Hunk #1 succeeded at 958 (offset -1669 lines). root@wookie:/usr/share/shorewall# +

Update -- 7 November 2007

+

A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and 4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks when HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this problem: