From 4efac2fda17cbc89a07b1d079494a17c8eb477eb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 6 Feb 2020 15:21:51 -0800 Subject: [PATCH 01/14] Handle essential IPv6-ICMP types when firewall is stopped Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ccc5306b6..0de55c4a4 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2540,6 +2540,7 @@ sub compile_stop_firewall( $$$$ ) { my $input = $filter_table->{INPUT}; my $output = $filter_table->{OUTPUT}; my $forward = $filter_table->{FORWARD}; + my $absentminded = $config{ ADMINISABSENTMINDED }; emit <<'EOF'; # @@ -2547,7 +2548,7 @@ sub compile_stop_firewall( $$$$ ) { # stop_firewall() { EOF - $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED}; + $output->{policy} = 'ACCEPT' if $absentminded; if ( $family == F_IPV4 ) { emit <<'EOF'; @@ -2706,7 +2707,7 @@ EOF # create_docker_rules if $config{DOCKER}; - if ( $config{ADMINISABSENTMINDED} ) { + if ( $absentminded ) { add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; } @@ -2715,7 +2716,7 @@ EOF add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST; - unless ( $config{ADMINISABSENTMINDED} ) { + unless ( $absentminded ) { add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL; add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST; } @@ -2729,12 +2730,25 @@ EOF process_stoppedrules; + if ( $family == F_IPV6 ) { + my $chain = new_action_chain( 'filter', 'AllowICMPs' ); + + for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) { + add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" ); + } + + for $chain ( $input, $output, $forward ) { + next if $chain eq $output && $absentminded; + add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP ); + } + } + if ( have_capability 'IFACE_MATCH' ) { add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback'; - add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED}; + add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded; } else { add_ijump $input, j => 'ACCEPT', i => loopback_interface; - add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED}; + add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded; } my $interfaces = find_interfaces_by_option 'dhcp'; @@ -2744,7 +2758,7 @@ EOF for my $interface ( @$interfaces ) { add_ijump $input, j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface ); - add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED}; + add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded; # # This might be a bridge # From 367a5f7d979fe17f31b77ec2de8f0bc132e115c2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 16 Feb 2020 10:33:18 -0800 Subject: [PATCH 02/14] Filter out LIBVIRT rules when saving Docker Rules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 71c775583..1949ede6e 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8716,7 +8716,7 @@ sub save_docker_rules($) { emit( qq(if [ -n "\$g_docker" ]; then), qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER), qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), - qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING), + qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING), qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER), qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), From f221ca290f23db43eaada8f90cf4b2dbe9366772 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 1 Mar 2020 15:07:17 -0800 Subject: [PATCH 03/14] Improve checking when MANGLE_ENABLED=No in shorewall[6].conf - Fatal error when a feature is used that requires the mangle table Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 25 +++++++++++++++++++------ Shorewall/Perl/Shorewall/Misc.pm | 2 +- Shorewall/Perl/Shorewall/Providers.pm | 4 ++-- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 7e25c03fa..a26ec263f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -162,6 +162,7 @@ our @EXPORT = qw( have_capability require_capability + require_mangle_capability report_used_capabilities kernel_version @@ -804,7 +805,7 @@ sub add_variables( \% ); # 2. The compiler can run multiple times in the same process so it has to be # able to re-initialize its dependent modules' state. # -sub initialize( $;$$$) { +sub initialize($;$$$) { ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_; if ( $family == F_IPV4 ) { @@ -5267,6 +5268,16 @@ sub require_capability( $$$ ) { fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1; } +sub require_mangle_capability( $$$ ) { + my ( $capability, $description, $singular ) = @_; + + if ( $config{MANGLE_ENABLED} ) { + &require_capability( @_ ); + } else { + fatal_error "$description " . ( $singular ? 'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{product}.conf"; + } +} + # # Return Kernel Version # @@ -6611,6 +6622,7 @@ sub get_configuration( $$$ ) { if ( supplied $config{ACCOUNTING_TABLE} ) { my $value = $config{ACCOUNTING_TABLE}; fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle'; + fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED}; } else { $config{ACCOUNTING_TABLE} = 'filter'; } @@ -6686,7 +6698,7 @@ sub get_configuration( $$$ ) { $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; - require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; + require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; numeric_option 'TC_BITS' , 8, 0; numeric_option 'MASK_BITS' , 8, 0; @@ -6930,7 +6942,7 @@ sub get_configuration( $$$ ) { if ( $config{TC_ENABLED} ) { fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; - require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's'; + require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's'; } if ( supplied( $val = $config{TC_PRIOMAP} ) ) { @@ -7013,9 +7025,10 @@ sub get_configuration( $$$ ) { } require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' ); - require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; - require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0; - require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; + require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL}; + + require_mangle_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0; + require_mangle_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED}; if ( $config{WARNOLDCAPVERSION} ) { if ( $capabilities{CAPVERSION} ) { diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index b392b974b..3cdd902c2 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -97,7 +97,7 @@ sub setup_ecn() if ( my $fn = open_file 'ecn' ) { first_entry( sub { progress_message2 "$doing $fn..."; - require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', ''; + require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', ''; warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD'; } ); diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index bda08389b..745a331ef 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -594,7 +594,7 @@ sub process_a_provider( $ ) { unless ( $options eq '-' ) { for my $option ( split_list $options, 'option' ) { if ( $option eq 'track' ) { - require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' ); + require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' ); $track = 1; } elsif ( $option eq 'notrack' ) { $track = 0; @@ -714,7 +714,7 @@ sub process_a_provider( $ ) { $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track; if ( $mark ne '-' ) { - require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); + require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); if ( $tproxy && ! $local ) { $val = $globals{TPROXY_MARK}; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 882db9112..68e5649e5 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -2455,7 +2455,7 @@ sub setup_tc( $ ) { } } } elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) { - warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file"; + warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file"; } if ( my $fn = open_file( 'mangle', 1, 1 ) ) { From d3de75dd120dcaefe29031c30f3c0a5965795aee Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 Mar 2020 11:03:35 -0800 Subject: [PATCH 04/14] Add DOCKER_BRIDGE option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 6 +++-- Shorewall/Perl/Shorewall/Config.pm | 4 +++ Shorewall/Perl/Shorewall/Misc.pm | 12 +++++---- Shorewall/Samples/Universal/shorewall.conf | 2 ++ .../Samples/one-interface/shorewall.conf | 2 ++ .../Samples/three-interfaces/shorewall.conf | 2 ++ .../Samples/two-interfaces/shorewall.conf | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/manpages/shorewall.conf.xml | 26 ++++++++++++++----- 9 files changed, 44 insertions(+), 14 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 8df53f4d5..d64864012 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8727,6 +8727,8 @@ sub emitr1( $$ ) { sub save_docker_rules($) { my $tool = $_[0]; + my $bridge = $config{DOCKER_BRIDGE}; + emit( qq(if [ -n "\$g_docker" ]; then), qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER), qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), @@ -8744,10 +8746,10 @@ sub save_docker_rules($) { qq(), ); - if ( known_interface( 'docker0' ) ) { + if ( known_interface( $bridge ) ) { emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) ); } else { - emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) ); + emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) ); } emit( q( [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD), diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ff3003c9e..e6816c5d5 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1010,6 +1010,7 @@ sub initialize($;$$$) { PERL_HASH_SEED => undef , USE_NFLOG_SIZE => undef , RENAME_COMBINED => undef , + DOCKER_BRIDGE => undef , # # Packet Disposition # @@ -6569,6 +6570,9 @@ sub get_configuration( $$$ ) { fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6; require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' ); require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' ); + default( 'DOCKER_BRIDGE' , 'docker0' ); + } elsif ( $family == F_IPV6 ) { + warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} ); } if ( supplied( $val = $config{RESTART} ) ) { diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 3cdd902c2..1323e0585 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -675,6 +675,8 @@ sub process_stoppedrules() { # Generate the rules required when DOCKER=Yes # sub create_docker_rules() { + my $bridge = $config{DOCKER_BRIDGE}; + add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' ); my $chainref = $filter_table->{FORWARD}; @@ -684,13 +686,13 @@ sub create_docker_rules() { add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' ); add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' ); - if ( my $dockerref = known_interface('docker0') ) { + if ( my $dockerref = known_interface( $bridge ) ) { add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); incr_cmd_level( $chainref ); - add_ijump( $chainref, j => 'DOCKER', o => 'docker0' ); - add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' ); - add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' ); - add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback}; + add_ijump( $chainref, j => 'DOCKER', o => $bridge ); + add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' ); + add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" ); + add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback}; decr_cmd_level( $chainref ); add_commands( $chainref, 'fi' ); diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index b3fea7222..829593ab2 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -163,6 +163,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 1afcb5a15..3666e729f 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -174,6 +174,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index eb5986500..2cb755041 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -171,6 +171,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 452825c36..21a76426d 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -174,6 +174,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index e01797706..2095f7ec7 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -167,6 +167,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DONT_LOAD= DYNAMIC_BLACKLIST=Yes diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 3f41d2e88..823416e38 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -834,18 +834,30 @@ role="bold">Yes|No] - Added in Shorewall 5.0.6. When set to , - the generated script will save Docker-generated rules before and - restore them after executing the start, - stop, reload and - restart commands. If set to - (the default), the generated script will delete any Docker-generated - rules when executing those commands. See + Added in Shorewall 5.0.6; IPv4 only. When set to + , the generated script will save + Docker-generated rules before and restore them after executing the + start, stop, + reload and restart commands. + If set to (the default), the generated script + will delete any Docker-generated rules when executing those + commands. See http://www.shorewall.org/Docker.html for additional information. + + DOCKER_BRIDGE=[bridgename] + + + Added in Shorewall 5.2.4; IPv4 only. Specifies the name of the + default Docker bridge. If not specified, the value 'docker0' is + assumed. + + + DONT_LOAD=[module[,module]...] From de761ac657953b3ee915bc609c466fef33559c5e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 Mar 2020 13:13:43 -0800 Subject: [PATCH 05/14] Clarify 'trace' and the compiled script Signed-off-by: Tom Eastep --- docs/starting_and_stopping_shorewall.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index b6ed1b60c..94130293d 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -214,8 +214,10 @@ shorewall trace check -r This produces a large amount of diagnostic output to standard out - during the compilation step. If entered on a command that doesn't invoke - the compiler, trace is ignored. + during the compilation step. If the command invokes the compiled firewall + script, then that script's execution is traced to standard error. If + entered on a command that invokes neither the compiler nor the compiled + script, trace is ignored. Commands that invoke a compiled fireawll script can have the word debug inserted immediately after the command. From b52a330f417373a44f95e6b4a31265173daa4838 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 Mar 2020 15:10:20 -0800 Subject: [PATCH 06/14] Replace trace, debug and nolock with options Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 48 +++-- Shorewall-core/lib.common | 16 +- Shorewall-core/manpages/shorewall.xml | 263 ++++++++--------------- Shorewall/Perl/prog.footer | 25 +-- Shorewall/configfiles/started | 2 +- Shorewall/lib.cli-std | 68 ++++-- Shorewall6/configfiles/started | 2 +- docs/starting_and_stopping_shorewall.xml | 31 --- 8 files changed, 190 insertions(+), 265 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 933150f0a..fed65b45c 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -4120,9 +4120,9 @@ start_command() { if [ -x $g_firewall ]; then if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then - run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore + run_it ${VARDIR}/${RESTOREFILE} restore else - run_it $g_firewall $g_debugging start + run_it $g_firewall start fi rc=$? else @@ -4256,7 +4256,7 @@ restart_command() { [ -n "$g_nolock" ] || mutex_on if [ -x $g_firewall ]; then - run_it $g_firewall $g_debugging $COMMAND + run_it $g_firewall $COMMAND rc=$? else error_message "$g_firewall is missing or is not executable" @@ -4270,7 +4270,7 @@ restart_command() { run_command() { if [ -x $g_firewall ] ; then - run_it $g_firewall $g_debugging $@ + run_it $g_firewall $@ else fatal_error "$g_firewall does not exist or is not executable" fi @@ -4287,7 +4287,13 @@ ecko() { # usage() # $1 = exit status { - echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " + echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] " + echo " -T : Direct the generated script to produce a shell trace to standard error" + echo " -D : Debug iptables commands" + echo " -N : Don't take the master shorewall lock" + echo " -q : Standard Shorewall verbosity control" + echo " -v : Standard Shorewall verbosity control" + echo " -t : Timestamp all messages" echo "where is one of:" echo " add [:] ... " echo " allow
..." @@ -4415,20 +4421,16 @@ usage() # $1 = exit status # here if that lib is loaded below. # shorewall_cli() { - g_debugging= - - if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then - g_debugging=$1 - shift - fi - g_nolock= - + # + # We'll keep this around for a while so we don't break people's started scripts + # if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then g_nolock=nolock shift fi + g_debugging= g_noroutes= g_purge= g_ipt_options="-nv" @@ -4456,6 +4458,7 @@ shorewall_cli() { g_blacklistipset= g_disconnect= g_havemutex= + g_trace= VERBOSE= VERBOSITY=1 @@ -4587,6 +4590,17 @@ shorewall_cli() { finished=1 option= ;; + T*) + g_debugging=trace + option=${option#T} + ;; + D*) + g_debugging=debug + option=${option#D} + ;; + N*) + g_nolock=nolock + ;; *) option_error $option ;; @@ -4639,7 +4653,7 @@ shorewall_cli() { get_config [ -x $g_firewall ] || fatal_error "$g_product has never been started" [ -n "$g_nolock" ] || mutex_on - run_it $g_firewall $g_debugging $COMMAND + run_it $g_firewall $COMMAND [ -n "$g_nolock" ] || mutex_off ;; reset) @@ -4648,7 +4662,7 @@ shorewall_cli() { shift [ -n "$g_nolock" ] || mutex_on [ -x $g_firewall ] || fatal_error "$g_product has never been started" - run_it $g_firewall $g_debugging reset $@ + run_it $g_firewall reset $@ [ -n "$g_nolock" ] || mutex_off ;; reload|restart) @@ -4661,7 +4675,7 @@ shorewall_cli() { only_root get_config Yes if product_is_started; then - run_it $g_firewall $g_debugging $@ + run_it $g_firewall $@ else fatal_error "$g_product is not running" fi @@ -4816,7 +4830,7 @@ shorewall_cli() { # It isn't a function visible to this script -- try # the compiled firewall # - run_it $g_firewall $g_debugging call $@ + run_it $g_firewall call $@ fi else missing_argument diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 1ca02ddf8..b8ac32550 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -92,18 +92,20 @@ startup_error() # $* = Error Message # run_it() { local script - local options + local options='-' export VARDIR script=$1 shift - if [ x$1 = xtrace -o x$1 = xdebug ]; then - options="$1 -" - shift; + + if [ "$g_debugging" = debug ]; then + options='-D' + elif [ "$g_debugging" = trace ]; then + options='-T' else - options='-' + options='-'; fi [ -n "$g_noroutes" ] && options=${options}n @@ -736,8 +738,8 @@ truncate() # $1 = length # # Call this function to assert mutual exclusion with Shorewall. If you invoke the -# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as -# the first argument. Example "shorewall nolock refresh" +# /sbin/shorewall program while holding mutual exclusion, you should pass -N as +# the first argument. Example "shorewall -N refresh" # # This function uses the lockfile utility from procmail if it exists. # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml index 012d06b55..ac71bb851 100644 --- a/Shorewall-core/manpages/shorewall.xml +++ b/Shorewall-core/manpages/shorewall.xml @@ -21,9 +21,6 @@ shorewall[6][-lite] - | - options @@ -39,9 +36,6 @@ shorewall[6][-lite] - | - options @@ -52,9 +46,6 @@ shorewall[6][-lite] - | - options @@ -67,9 +58,6 @@ shorewall[6][-lite] - | - options @@ -106,9 +94,6 @@ shorewall[6][-lite] - | - options shorewall[6][-lite] - | - options @@ -159,9 +141,6 @@ shorewall[6][-lite] - | - options @@ -177,9 +156,6 @@ shorewall[6][-lite] - | - options @@ -191,9 +167,6 @@ shorewall[6][-lite] - | - options @@ -204,8 +177,6 @@ shorewall[6][-lite] - | - options @@ -222,9 +193,6 @@ shorewall[6][-lite] - | - options @@ -236,9 +204,6 @@ shorewall[6] - | - options @@ -252,9 +217,6 @@ shorewall[6][-lite] - | - options @@ -265,8 +227,6 @@ shorewall[6][-lite] - | - options @@ -275,8 +235,6 @@ shorewall[-lite] - | - options shorewall[-lite] - | - options @@ -304,8 +260,6 @@ shorewall[-lite] - | - options @@ -317,8 +271,6 @@ shorewall[6][-lite] - | - options @@ -330,9 +282,6 @@ shorewall[6][-lite] - | - options @@ -343,8 +292,6 @@ shorewall[6][-lite] - | - options @@ -357,9 +304,6 @@ shorewall[6][-lite] - | - options @@ -370,8 +314,6 @@ shorewall[6][-lite] - | - options @@ -394,9 +336,6 @@ shorewall[6][-lite] - | - options @@ -408,9 +347,6 @@ shorewall[6][-lite] - | - options @@ -421,9 +357,6 @@ shorewall[6][-lite] - | - options @@ -448,10 +381,6 @@ shorewall[6] - | - - options - @@ -472,8 +401,6 @@ shorewall[6] - | - options @@ -496,8 +423,6 @@ shorewall[6] - | - options @@ -520,8 +445,6 @@ shorewall[6] - | - options @@ -544,8 +467,6 @@ shorewall[6] - | - options @@ -568,9 +489,6 @@ shorewall[6][-lite] - | - options shorewall[6][-lite] - | - options @@ -608,9 +523,6 @@ shorewall[6][-lite] - | - options shorewall[6][-lite] - | - options @@ -637,9 +546,6 @@ shorewall[6] - | - options @@ -656,8 +562,6 @@ shorewall[6] - | - options @@ -674,9 +578,6 @@ shorewall[6][-lite] - | - options shorewall[6][-lite] - | - options @@ -699,8 +597,6 @@ shorewall[6][-lite] - | - options @@ -713,8 +609,6 @@ shorewall[6][-lite] - | - options @@ -735,8 +629,6 @@ shorewall[6][-lite] - | - options @@ -761,8 +653,6 @@ shorewall[6] - | - options @@ -774,8 +664,6 @@ shorewall[6][-lite] - | - options @@ -787,8 +675,6 @@ shorewall[6][-lite] - | - options @@ -800,8 +686,6 @@ shorewall[6][-lite] - | - options @@ -814,8 +698,6 @@ shorewall[6] - | - options @@ -827,8 +709,6 @@ shorewall[6][-lite] - | - options @@ -841,8 +721,6 @@ shorewall[6][-lite] - | - options @@ -853,8 +731,6 @@ shorewall[6][-lite] - | - options @@ -867,8 +743,7 @@ shorewall[6][-lite] - | + | options @@ -892,9 +767,6 @@ shorewall[6][-lite] - | - options shorewall[6][-lite] - | - options shorewall[6] - | - options @@ -930,8 +797,6 @@ shorewall[6] - | - options @@ -956,8 +821,6 @@ shorewall[6][-lite] - | - options Options - The and options are - used for debugging. See http://www.shorewall.org/starting_and_stopping_shorewall.htm#Trace. - - The option prevents the command from - attempting to acquire the Shorewall lockfile. It is useful if you need to - include shorewall commands in - /etc/shorewall/started. - - Other options are: + The options are: @@ -1176,6 +1030,40 @@ Causes all progress messages to be timestamped. + + + -T + + + If the command invokes the generated firewall script, the + script's execution will be traced to standard error. This option + replaces the earlier trace + keyword. + + + If both -T and -D are specified, only the last one specified + will be in effect. + + + + + + -D + + + If the command invokes the generated firewall script, + individual invocations of the ip[6]tables utility will be used to + configure the ruleset rather than ip[6]tables-restore. This is + useful for diagnosing ip[6]tables-restore failures on a *COMMIT + command. The option replaces the earlier debug keyword. + + + If both -T and -D are specified, only the last one specified + will be in effect. + + + @@ -1214,11 +1102,12 @@ Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5),shorewall6-zones(5)) allows a single ipset to - handle entries for multiple interfaces. When that option is - specified for a zone, the add command has the - alternative syntax in which the zone name - precedes the host-list. + url="/manpages/shorewall-zones.html">shorewall6-zones(5)) + allows a single ipset to handle entries for multiple interfaces. + When that option is specified for a zone, the add + command has the alternative syntax in which the + zone name precedes the + host-list. @@ -1294,7 +1183,7 @@ check [-] [-] [-] [-] [-] [-] - [directory] + [-D][directory] Not available with Shorewall[6]-lite. @@ -1333,6 +1222,10 @@ url="/manpages/shorewall.conf.html">shorewall.conf(5) (shorewall6.conf(5)). + + The -D option was added in + Shoewall 5.2.4 and causes the compiler to write a large amount of + debugging information to standard output. @@ -1383,8 +1276,9 @@ compile [-] [-] [-] [-] - [-] [-] [ directory - ] [ pathname ] + [-] [-] [-D] [ + directory ] [ pathname + ] Not available with shorewall[6]-lite. @@ -1441,6 +1335,10 @@ url="/manpages/shorewall.conf.html">shorewall.conf(5) (shorewall6.conf(5)). + + The -D option was added in + Shoewall 5.2.4 and causes the compiler to write a large amount of + debugging information to standard output. @@ -1700,16 +1598,16 @@ Monitors the log file specified by the LOGFILE option in shorewall.conf(5) (shorewall6.conf(5)) - and produces an audible alarm when new Shorewall messages are - logged. The -m option causes the - MAC address of each packet source to be displayed if that - information is available. The - refresh-interval specifies the time in - seconds between screen refreshes. You can enter a negative number by - preceding the number with "--" (e.g., shorewall logwatch -- - -30). In this case, when a packet count changes, you will - be prompted to hit any key to resume screen refreshes. + url="/manpages/shorewall.conf.html">shorewall6.conf(5)) and + produces an audible alarm when new Shorewall messages are logged. + The -m option causes the MAC + address of each packet source to be displayed if that information is + available. The refresh-interval specifies + the time in seconds between screen refreshes. You can enter a + negative number by preceding the number with "--" (e.g., + shorewall logwatch -- -30). In this case, when a + packet count changes, you will be prompted to hit any key to resume + screen refreshes. @@ -1824,7 +1722,8 @@ reload [-] [-] [-] [-] [-] [-] [-] - [-] [ directory ] + [-] [-D] [ directory + ] This command was re-implemented in Shorewall 5.0.0. The @@ -1889,6 +1788,10 @@ the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters. + + The -D option was added + in Shoewall 5.2.4 and causes the compiler to write a large + amount of debugging information to standard output. @@ -2071,7 +1974,8 @@ Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5) (shorewall6.conf(5) + (shorewall6.conf(5)) is assumed. In that case, if you want to specify a directory, then the @@ -2144,7 +2048,8 @@ Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5) (shorewall6.conf(5) + (shorewall6.conf(5)) is assumed. In that case, if you want to specify a directory, then the @@ -2178,6 +2083,10 @@ url="/manpages/shorewall.conf.html">shorewall.conf(5) (shorewall6.conf(5). + + The -D option was added in + Shoewall 5.2.4 and causes the compiler to write a large amount of + debugging information to standard output. @@ -2204,7 +2113,8 @@ restart [-] [-] [-] [-] [-] [-] [-] - [-] [ directory ] + [-] [-D] [ directory + ] Beginning with Shorewall 5.0.0, this command performs a true @@ -2264,6 +2174,10 @@ the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters. + + The -D option was added + in Shoewall 5.2.4 and causes the compiler to write a large + amount of debugging information to standard output. @@ -2831,8 +2745,8 @@ start [-] [-] [-] [-] [-] - [-] [-] [-] [ - directory ] + [-] [-] [-] [-D] + [ directory ] @@ -2906,6 +2820,11 @@ option was also specified in the save command, then the packet and byte counters will be restored. + + The -D option was + added in Shoewall 5.2.4 and causes the compiler to write a + large amount of debugging information to standard + output. diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 5b5ccba01..7a00daa1d 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -54,6 +54,8 @@ usage() { echo " -c Save/restore iptables counters" echo " -V Set verbosity explicitly" echo " -R Override RESTOREFILE setting" + echo " -T Trace execution" + echo " -D Debug iptables" exit $1 } @@ -109,20 +111,6 @@ reload_command() { # E X E C U T I O N B E G I N S H E R E # ################################################################################ # -# Start trace if first arg is "debug" or "trace" -# -g_debug_iptables= - -if [ $# -gt 1 ]; then - if [ "x$1" = "xtrace" ]; then - set -x - shift - elif [ "x$1" = "xdebug" ]; then - g_debug_iptables=Yes - shift - fi -fi -# # Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations # [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE @@ -152,6 +140,7 @@ g_dockeriso= g_dockerisostage= g_forcereload= g_fallback= +g_debug_iptables= [ -n "$SERVICEDIR" ] && SUBSYSLOCK= @@ -258,6 +247,14 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do RESTOREFILE=$option option= ;; + T*) + set -x; + option=${option#T} + ;; + D*) + g_debug_iptables=Yes + option=${option#D} + ;; *) usage 1 ;; diff --git a/Shorewall/configfiles/started b/Shorewall/configfiles/started index c32c62ddf..dbee7c06f 100644 --- a/Shorewall/configfiles/started +++ b/Shorewall/configfiles/started @@ -8,7 +8,7 @@ # signaling that the firewall is completely up). # # This script should not change the firewall configuration directly but -# may do so indirectly by running /sbin/shorewall with the 'nolock' +# may do so indirectly by running /sbin/shorewall with the -N # option. # # See http://shorewall.org/shorewall_extension_scripts.htm for additional diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 28757461f..4be36a692 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -503,7 +503,7 @@ compiler() { [ -n "$g_timestamp" ] && options="$options --timestamp" [ -n "$g_test" ] && options="$options --test" [ -n "$g_preview" ] && options="$options --preview" - [ "$g_debugging" = trace ] && options="$options --debug" + [ -n "$g_trace" ] && options="$options --debug" [ -n "$g_confess" ] && options="$options --confess" [ -n "$g_update" ] && options="$options --update" [ -n "$g_annotate" ] && options="$options --annotate" @@ -531,7 +531,7 @@ compiler() { # # Only use the pager if 'trace' or -r was specified and -d was not # - [ "$g_debugging" != trace -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager= + [ -z "$g_trace" -a -z "$g_preview" ] || [ -n "$g_debug" ] && g_pager= case $PERL_HASH_SEED in random) @@ -615,6 +615,10 @@ start_command() { g_counters=Yes option=${option#C} ;; + D*) + g_trace=Yes + option=${option#D} + ;; *) option_error $option ;; @@ -660,14 +664,14 @@ start_command() { if [ -n "$AUTOMAKE" ]; then [ -n "$g_nolock" ] || mutex_on - run_it $g_firewall $g_debugging start + run_it $g_firewall start rc=$? [ -n "$g_nolock" ] || mutex_off else g_file="${VARDIR}/.start" - if compiler $g_debugging $g_nolock compile "$g_file"; then + if compiler compile "$g_file"; then [ -n "$g_nolock" ] || mutex_on - run_it ${VARDIR}/.start $g_debugging start + run_it ${VARDIR}/.start start rc=$? [ -n "$g_nolock" ] || mutex_off else @@ -721,6 +725,10 @@ compile_command() { g_confess=Yes option=${option#T} ;; + D*) + g_trace=Yes + option=${option#D} + ;; -) finished=1 option= @@ -768,7 +776,7 @@ compile_command() { [ "x$g_file" = x- ] && g_doing='' - compiler $g_debugging compile "$g_file" + compiler compile "$g_file" } # @@ -815,6 +823,10 @@ check_command() { g_confess=Yes option=${option#T} ;; + D*) + g_trace=Yes + option=${option#D} + ;; *) option_error $option ;; @@ -851,7 +863,7 @@ check_command() { g_doing="Checking" - compiler $g_debugging $g_nolock check + compiler check } # @@ -906,6 +918,10 @@ update_command() { A*) option=${option#A} ;; + D*) + g_trace=Yes + option=${option#D} + ;; *) option_error $option ;; @@ -942,7 +958,7 @@ update_command() { g_doing="Updating" - compiler $g_debugging $g_nolock check + compiler check } # @@ -999,6 +1015,10 @@ restart_command() { g_counters=Yes option=${option#C} ;; + D*) + g_trace=Yes + option=${option#D} + ;; *) option_error $option ;; @@ -1044,9 +1064,9 @@ restart_command() { g_file="${VARDIR}/.${COMMAND}" if [ -z "$g_fast" ]; then - if compiler $g_debugging $g_nolock compile "$g_file"; then + if compiler compile "$g_file"; then [ -n "$g_nolock" ] || mutex_on - run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND} + run_it ${VARDIR}/.${COMMAND} ${COMMAND} rc=$? [ -n "$g_nolock" ] || mutex_off else @@ -1056,7 +1076,7 @@ restart_command() { else [ -x $g_firewall ] || fatal_error "No $g_firewall file found" [ -n "$g_nolock" ] || mutex_on - run_it $g_firewall $g_debugging $COMMAND + run_it $g_firewall $COMMAND rc=$? [ -n "$g_nolock" ] || mutex_off fi @@ -1197,7 +1217,7 @@ safe_commands() { g_file="${VARDIR}/.$command" - if ! compiler $g_debugging nolock compile "$g_file"; then + if ! compiler compile "$g_file"; then status=$? exit $status fi @@ -1223,7 +1243,7 @@ safe_commands() { [ -n "$g_nolock" ] || mutex_on - if run_it ${VARDIR}/.$command $g_debugging $command; then + if run_it ${VARDIR}/.$command $command; then printf "Do you want to accept the new firewall configuration? [y/n] " @@ -1334,7 +1354,7 @@ try_command() { g_file="${VARDIR}/.$command" - if ! compiler $g_debugging $g_nolock compile "$g_file"; then + if ! compiler compile "$g_file"; then status=$? exit $status fi @@ -1356,7 +1376,7 @@ try_command() { [ -n "$g_nolock" ] || mutex_on - if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then + if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then sleep $timeout if [ "$command" = "reload" ]; then @@ -1606,6 +1626,10 @@ remote_commands() # $* = original arguments less the command. g_confess=Yes option=${option#T} ;; + D*) + g_trace=Yes + option=${option#D} + ;; *) option_error $option ;; @@ -1697,7 +1721,7 @@ remote_commands() # $* = original arguments less the command. exitstatus=0 - if compiler $g_debugging compiler "$g_file"; then + if compiler compiler "$g_file"; then progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." if rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}; then save=$(find_file save); @@ -1712,20 +1736,20 @@ remote_commands() # $* = original arguments less the command. progress_message3 "Copy complete" if [ $COMMAND = remote-reload ]; then - if rsh_command "$program $g_debugging $verbose $timestamp reload"; then + if rsh_command "$program $verbose $timestamp reload"; then progress_message3 "System $system reloaded" else exitstatus=$? savit= fi elif [ $COMMAND = remote-restart ]; then - if rsh_command "$program $g_debugging $verbose $timestamp restart"; then + if rsh_command "$program $verbose $timestamp restart"; then progress_message3 "System $system restarted" else exitstatus=$? saveit= fi - elif rsh_command "$program $g_debugging $verbose $timestamp start"; then + elif rsh_command "$program $verbose $timestamp start"; then progress_message3 "System $system started" else exitstatus=$? @@ -1733,7 +1757,7 @@ remote_commands() # $* = original arguments less the command. fi if [ -n "$saveit" ]; then - if rsh_command "$program $g_debugging $verbose $timestamp save"; then + if rsh_command "$program $verbose $timestamp save"; then progress_message3 "Configuration on system $system saved" else exitstatus=$? @@ -1816,7 +1840,7 @@ export_command() # $* = original arguments less the command. g_file="$g_shorewalldir/firewall" - if compiler $g_debugging compile "$g_file" && \ + if compiler compile "$g_file" && \ echo "Copying $file and ${file}.conf to ${target#*@}..." && \ scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target then @@ -1831,7 +1855,7 @@ export_command() # $* = original arguments less the command. run_command() { if [ -x $g_firewall ] ; then uptodate $g_firewall || echo " WARNING: $g_firewall is not up to date" >&2 - run_it $g_firewall $g_debugging $@ + run_it $g_firewall $@ else fatal_error "$g_firewall does not exist or is not executable" fi diff --git a/Shorewall6/configfiles/started b/Shorewall6/configfiles/started index 553d0278d..0ce22b62a 100644 --- a/Shorewall6/configfiles/started +++ b/Shorewall6/configfiles/started @@ -8,7 +8,7 @@ # firewall is completely up). # # This script should not change the firewall configuration directly but -# may do so indirectly by running /sbin/shorewall6 with the 'nolock' +# may do so indirectly by running /sbin/shorewall6 with the '-N' # option. # # See http://shorewall.org/shorewall_extension_scripts.htm for additional diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 94130293d..05aeaa426 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -259,37 +259,6 @@ -
- Having Shorewall Start Automatically at Boot Time - - The .rpm, .deb and .tgz all try to configure your startup scripts so - that Shorewall will start automatically at boot time. If you are using the - install.sh script from the .tgz and it cannot determine - how to configure automatic startup, a message to that effect will be - displayed. You will need to consult your distribution's documentation to - see how to integrate the /etc/init.d/shorewall script - into the distribution's startup mechanism. - - - Shorewall startup is disabled by default. Once you have - configured your firewall, you can enable startup by editing - /etc/shorewall/shorewall.conf and setting - STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather - edit /etc/default/shorewall and set - startup=1. - - - - If you use dialup or some flavor of PPP where your IP - address can change arbitrarily, you may want to start the firewall - in your /etc/ppp/ip-up.local script. I - recommend just placing /sbin/shorewall - restart in that script. - - - -
-
Saving a Working Configuration for Error Recovery and Fast Startup From d24179173ff663cd2a6f7622023b01aaaf8ccf26 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Mar 2020 13:19:46 -0700 Subject: [PATCH 07/14] Remove obsolete 'load' command from help text Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 1 - 1 file changed, 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index fed65b45c..0cae308e6 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -4323,7 +4323,6 @@ usage() # $1 = exit status echo " iptrace " fi - ecko " load [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" From 2604378646ba93152544260bf777440a412a82d8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Mar 2020 13:20:27 -0700 Subject: [PATCH 08/14] Add 'help' to the generated script's help text Signed-off-by: Tom Eastep --- Shorewall/Perl/prog.footer | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 7a00daa1d..dd818189b 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -42,6 +42,7 @@ usage() { echo " up " echo " savesets " echo " call [ ... ]" + echo " help" echo " version" echo " info" echo From a6c1cd6d7bc4bdf2fbf780ccb01c55f1818d61ba Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Mar 2020 13:22:05 -0700 Subject: [PATCH 09/14] Expand manpage text about trace/debug -> -T/-D change Signed-off-by: Tom Eastep --- Shorewall-core/manpages/shorewall.xml | 65 ++++++++++++++++++--------- 1 file changed, 45 insertions(+), 20 deletions(-) diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml index ac71bb851..49a2b8945 100644 --- a/Shorewall-core/manpages/shorewall.xml +++ b/Shorewall-core/manpages/shorewall.xml @@ -1035,15 +1035,10 @@ -T - If the command invokes the generated firewall script, the - script's execution will be traced to standard error. This option - replaces the earlier trace - keyword. - - - If both -T and -D are specified, only the last one specified - will be in effect. - + Added in Shorewall 5.2.4 to replace the earlier + trace keyword.. If the command invokes the + generated firewall script, the script's execution will be traced to + standard error. @@ -1051,20 +1046,50 @@ -D - If the command invokes the generated firewall script, - individual invocations of the ip[6]tables utility will be used to - configure the ruleset rather than ip[6]tables-restore. This is - useful for diagnosing ip[6]tables-restore failures on a *COMMIT - command. The option replaces the earlier debug keyword. - - - If both -T and -D are specified, only the last one specified - will be in effect. - + Added in Shorewall 5.2.4 to replace the earlier debug keyword. + If the command invokes the generated firewall script, individual + invocations of the ip[6]tables utility will be used to configure the + ruleset rather than ip[6]tables-restore. This is useful for + diagnosing ip[6]tables-restore failures on a *COMMIT command. + + + Prior to Shorewall 5.2.4, the general syntax for a CLI command + was: + + + + + + + options + + command + + command-options + + command-arguments + + + Examples: + + shorewall debug -tv2 reload + shorewall trace check + shorewall nolock enable eth0 + + In Shorewall 5.2.4 and later, those commands would be: + + shorewall -Dtv2 reload + shorewall check -D + shorewall -N enable eth0 + + While not shown in the command synopses at the top of this page, + the keyword is still supported in Shorewall + 5.2.4 and later, but is deprecated in favor of the -option. + From 8496bf0ff343a0444be5e2fdf0e4db4403423b67 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 Mar 2020 13:22:25 -0700 Subject: [PATCH 10/14] Update Compiled Programs/Shorewall-lite article Signed-off-by: Tom Eastep --- docs/CompiledPrograms.xml | 391 ++++++++++++++++++-------------------- 1 file changed, 186 insertions(+), 205 deletions(-) diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index a3594d113..fb609e3d9 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -20,6 +20,8 @@ 2006-2010 + 2020 + Thomas M. Eastep @@ -227,10 +229,10 @@ cd <export directory> -/sbin/shorewall load firewall +/sbin/shorewall remote-startfirewall The load + url="starting_and_stopping_shorewall.htm#Load">remote-start command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via @@ -239,7 +241,8 @@ Example (firewall's DNS name is 'gateway'): - /sbin/shorewall load gateway + /sbin/shorewall remote-start + gateway Although scp and ssh are used by default, you can use other utilities by setting RSH_COMMAND and RCP_COMMAND in /etc/shorewall/shorewall.conf. @@ -261,119 +264,16 @@ then: cd <export directory> -/sbin/shorewall reload firewall +/sbin/shorewall remote-reload firewall The reload + url="manpages/shorewall.html">remote-reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and restarts Shorewall Lite on the remote system via ssh. The reload command also supports the '-c' + role="bold">remote-reload command also supports the '-c' option. - - I personally place a Makefile in each - export directory as follows: - -
- # Shorewall Packet Filtering Firewall Export Directory Makefile - V3.3 -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2006 - Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://www.shorewall.org -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -################################################################################ -# Place this file in each export directory. Modify each copy to set HOST -# to the name of the remote firewall corresponding to the directory. -# -# To make the 'firewall' script, type "make". -# -# Once the script is compiling correctly, you can install it by -# typing "make install". -# -################################################################################ -# V A R I A B L E S -# -# Files in the export directory on which the firewall script does not depend -# -IGNOREFILES = firewall% Makefile% trace% %~ -# -# Remote Firewall system -# -HOST = gateway -# -# Save some typing -# -LITEDIR = /var/lib/shorewall-lite -# -# Set this if the remote system has a non-standard modules directory -# -MODULESDIR= -# -# Default target is the firewall script -# -################################################################################ -# T A R G E T S -# -all: firewall -# -# Only generate the capabilities file if it doesn't already exist -# -capabilities: - ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities" - scp root@$(HOST):$(LITEDIR)/capabilities . -# -# Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that -# 'filter-out' will be presented with the list of files in this directory rather than "*" -# -firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities - shorewall compile -e . firewall -# -# Only reload on demand. -# -install: firewall - scp firewall firewall.conf root@$(HOST):$(LITEDIR) - ssh root@$(HOST) "/sbin/shorewall-lite restart" -# -# Save running configuration -# -save: - ssh root@$(HOST) "/sbin/shorewall-lite save" -# -# Remove generated files -# -clean: - rm -f capabilities firewall firewall.conf reload - -
- - That way, after I've changed the configuration, I can simply - type make or make - install. - - - The above Makefile is available at http://www.shorewall.org/pub/shorewall/contrib/Shorewall-lite/ - - - - I omit trace% because I often trace compiler execution while - I'm debugging new versions of Shorewall. - @@ -410,63 +310,63 @@ clean: run Debian or one of its derivatives (see above). - The /sbin/shorewall-lite program included + The /sbin/shorewall-lite program (which is a + symbolic link pointing to /sbin/shorewall) included with Shorewall Lite supports the same set of commands as the /sbin/shorewall program in a full Shorewall installation with the following exceptions:
- add + action + + actions + + check compile - delete + export - refresh + macro - reload + macros - try + remote-getrc - safe-start + remote-getcaps + + remote-reload + + remote-restart + + remote-start + + safe-reload safe-restart - show actions + safe-start - show macros + try + + update
- On systems with only Shorewall Lite installed, I recommend that - you create a symbolic link /sbin/shorewall and - point it at /sbin/shorewall-lite. That way, you can - use shorewall as the command regardless of which - product is installed. - -
- ln -sf shorewall-lite /sbin/shorewall -
-
Module Loading - As with a normal Shorewall configuration, the shorewall.conf - file can specify LOAD_HELPERS_ONLY which determines if the - modules file (LOAD_HELPERS_ONLY=No) or - helpers file (LOAD_HELPERS_ONLY=Yes) is used. - Normally, the file on the firewall system is used. If you want to - specify modules at compile time on the Administrative System, then you - must place a copy of the appropriate file - (modules or helpers) in the - firewall's configuration directory before compilation. + Normally, the helpers file on the firewall + system is used. If you want to specify modules at compile time on the + Administrative System, then you must place a copy of the + helpers file in the firewall's configuration + directory before compilation. In Shorewall 4.4.17, the EXPORTMODULES option was added to shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any - modules or helpers file - found on the CONFIG_PATH on the Administrative System during - compilation will be used. + helpers file found on the CONFIG_PATH on the + Administrative System during compilation will be used.
@@ -503,10 +403,6 @@ clean: Install Shorewall Lite on the firewall system. - - If you are running Debian or one of its derivatives like - Ubuntu then edit /etc/default/shorewall-lite - and set startup=1. @@ -753,52 +649,126 @@ clean: kernel/iptables capabilities of the target system. Here is a sample file: -
- # -# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008 + +# Shorewall 5.2.3.3 detected the following iptables/netfilter capabilities - Mon 16 Sep 2019 01:32:20 PM PDT # -NAT_ENABLED=Yes -MANGLE_ENABLED=Yes -MULTIPORT=Yes -XMULTIPORT=Yes -CONNTRACK_MATCH=Yes -POLICY_MATCH=Yes -PHYSDEV_MATCH=Yes -PHYSDEV_BRIDGE=Yes -LENGTH_MATCH=Yes -IPRANGE_MATCH=Yes -RECENT_MATCH=Yes -OWNER_MATCH=Yes -IPSET_MATCH=Yes -CONNMARK=Yes -XCONNMARK=Yes -CONNMARK_MATCH=Yes -XCONNMARK_MATCH=Yes -RAW_TABLE=Yes -IPP2P_MATCH= -CLASSIFY_TARGET=Yes -ENHANCED_REJECT=Yes -KLUDGEFREE=Yes -MARK=Yes -XMARK=Yes -MANGLE_FORWARD=Yes -COMMENTS=Yes +ACCOUNT_TARGET= ADDRTYPE=Yes -TCPMSS_MATCH=Yes +AMANDA_HELPER= +ARPTABLESJF= +AUDIT_TARGET=Yes +BASIC_EMATCH=Yes +BASIC_FILTER=Yes +CAPVERSION=50200 +CHECKSUM_TARGET=Yes +CLASSIFY_TARGET=Yes +COMMENTS=Yes +CONDITION_MATCH= +CONNLIMIT_MATCH=Yes +CONNMARK_MATCH=Yes +CONNMARK=Yes +CONNTRACK_MATCH=Yes +CPU_FANOUT=Yes +CT_TARGET=Yes +DSCP_MATCH=Yes +DSCP_TARGET=Yes +EMULTIPORT=Yes +ENHANCED_REJECT=Yes +EXMARK=Yes +FLOW_FILTER=Yes +FTP0_HELPER= +FTP_HELPER=Yes +FWMARK_RT_MASK=Yes +GEOIP_MATCH= +GOTO_TARGET=Yes +H323_HELPER= HASHLIMIT_MATCH=Yes +HEADER_MATCH= +HELPER_MATCH=Yes +IFACE_MATCH= +IMQ_TARGET= +IPMARK_TARGET= +IPP2P_MATCH= +IPRANGE_MATCH=Yes +IPSET_MATCH_COUNTERS=Yes +IPSET_MATCH_NOMATCH=Yes +IPSET_MATCH=Yes +IPSET_V5=Yes +IPTABLES_S=Yes +IRC0_HELPER= +IRC_HELPER=Yes +KERNELVERSION=41900 +KLUDGEFREE=Yes +LENGTH_MATCH=Yes +LOGMARK_TARGET= +LOG_TARGET=Yes +MANGLE_ENABLED=Yes +MANGLE_FORWARD=Yes +MARK_ANYWHERE=Yes +MARK=Yes +MASQUERADE_TGT=Yes +MULTIPORT=Yes +NAT_ENABLED=Yes +NAT_INPUT_CHAIN=Yes +NETBIOS_NS_HELPER= +NETMAP_TARGET=Yes +NEW_CONNTRACK_MATCH=Yes +NEW_TOS_MATCH=Yes +NFACCT_MATCH=Yes +NFLOG_SIZE=Yes +NFLOG_TARGET=Yes NFQUEUE_TARGET=Yes +OLD_CONNTRACK_MATCH= +OLD_HL_MATCH= +OLD_IPP2P_MATCH= +OLD_IPSET_MATCH= +OWNER_MATCH=Yes +OWNER_NAME_MATCH=Yes +PERSISTENT_SNAT=Yes +PHYSDEV_BRIDGE=Yes +PHYSDEV_MATCH=Yes +POLICY_MATCH=Yes +PPTP_HELPER= +RAW_TABLE=Yes REALM_MATCH=Yes -CAPVERSION=40190 -
+REAP_OPTION=Yes +RECENT_MATCH=Yes +RESTORE_WAIT_OPTION=Yes +RPFILTER_MATCH=Yes +SANE0_HELPER= +SANE_HELPER= +SIP0_HELPER= +SIP_HELPER= +SNMP_HELPER= +STATISTIC_MATCH=Yes +TARPIT_TARGET= +TCPMSS_MATCH=Yes +TCPMSS_TARGET=Yes +TFTP0_HELPER= +TFTP_HELPER= +TIME_MATCH=Yes +TPROXY_TARGET=Yes +UDPLITEREDIRECT= +ULOG_TARGET= +WAIT_OPTION=Yes +XCONNMARK_MATCH=Yes +XCONNMARK=Yes +XMARK=Yes +XMULTIPORT=Yes As you can see, the file contains a simple list of shell variable assignments — the variables correspond to the capabilities listed by the shorewall show capabilities command and they appear in the same order as the output of that command. - To aid in creating this file, Shorewall Lite includes a - shorecap program. The program is installed in the - /usr/share/shorewall-lite/ + The capabilities file can be generated automatically from the + administrative system by using the remote-getcaps + command. Should that option fail for any reason, the file can be generated + manually on the remote firewall. + + To aid in creating this file on the remote firewall, Shorewall Lite + includes a shorecap program. The program is installed + in the /usr/share/shorewall-lite/ directory and may be run as follows:
@@ -825,41 +795,52 @@ CAPVERSION=40190 show capabilities command shows the kernel's current capabilities; it does not attempt to load additional kernel modules. + + Once generated, the file can be copied manually to the + administrative system.
Running compiled programs directly - Compiled firewall programs are complete shell programs that support - the following command line forms: + Compiled firewall programs are complete shell programs that may be + run directly. Here is the output from the program's help command + (Shorewall version 5.2.4) -
- - <program> [ -q ] [ -v ] [ -n ] - start + <program> [ options ] <command> - <program> [ -q ] [ -v ] [ -n ] - stop +<command> is one of: + start + stop + clear + disable <interface> + down <interface> + enable <interface> + reset + reenable <interface> + refresh + reload + restart + run <command> [ <parameter> ... ] + status + up <interface> + savesets <file> + call <function> [ <parameter> ... ] + help + version + info - <program> [ -q ] [ -v ] [ -n ] - clear +Options are: - <program> [ -q ] [ -v ] [ -n ] - refresh - - <program> [ -q ] [ -v ] [ -n ] - reset - - <program> [ -q ] [ -v ] [ -n ] - restart - - <program> [ -q ] [ -v ] [ -n ] - status - - <program> [ -q ] [ -v ] [ -n ] - version - -
+ -v and -q Standard Shorewall verbosity controls + -n Don't update routing configuration + -p Purge Conntrack Table + -t Timestamp progress Messages + -c Save/restore iptables counters + -V <verbosity> Set verbosity explicitly + -R <file> Override RESTOREFILE setting + -T Trace execution + The options have the same meanings as when they are passed to /sbin/shorewall itself. The default VERBOSITY level From e82307f61e9a6627163543af57b68bc6d2e7f469 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 10 Mar 2020 11:03:02 -0700 Subject: [PATCH 11/14] Add empty target files 5.2.4-Beta1 Signed-off-by: Tom Eastep --- Shorewall-core/Shorewall-core-targetname | 2 +- Shorewall-lite/Shorewall-lite-targetname | 2 +- Shorewall/Shorewall-targetname | 2 +- Shorewall6-lite/Shorewall6-lite-targetname | 2 +- Shorewall6/Shorewall6-targetname | 2 +- docs/docs-targetname | 2 +- docs/images/docs-images-targetname | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Shorewall-core/Shorewall-core-targetname b/Shorewall-core/Shorewall-core-targetname index a29e62721..a67fd130b 100644 --- a/Shorewall-core/Shorewall-core-targetname +++ b/Shorewall-core/Shorewall-core-targetname @@ -1 +1 @@ -5.2.3.7 \ No newline at end of file +5.2.4-Beta1 \ No newline at end of file diff --git a/Shorewall-lite/Shorewall-lite-targetname b/Shorewall-lite/Shorewall-lite-targetname index a29e62721..a67fd130b 100644 --- a/Shorewall-lite/Shorewall-lite-targetname +++ b/Shorewall-lite/Shorewall-lite-targetname @@ -1 +1 @@ -5.2.3.7 \ No newline at end of file +5.2.4-Beta1 \ No newline at end of file diff --git a/Shorewall/Shorewall-targetname b/Shorewall/Shorewall-targetname index a29e62721..a67fd130b 100644 --- a/Shorewall/Shorewall-targetname +++ b/Shorewall/Shorewall-targetname @@ -1 +1 @@ -5.2.3.7 \ No newline at end of file +5.2.4-Beta1 \ No newline at end of file diff --git a/Shorewall6-lite/Shorewall6-lite-targetname b/Shorewall6-lite/Shorewall6-lite-targetname index a29e62721..a67fd130b 100644 --- a/Shorewall6-lite/Shorewall6-lite-targetname +++ b/Shorewall6-lite/Shorewall6-lite-targetname @@ -1 +1 @@ -5.2.3.7 \ No newline at end of file +5.2.4-Beta1 \ No newline at end of file diff --git a/Shorewall6/Shorewall6-targetname b/Shorewall6/Shorewall6-targetname index a29e62721..a67fd130b 100644 --- a/Shorewall6/Shorewall6-targetname +++ b/Shorewall6/Shorewall6-targetname @@ -1 +1 @@ -5.2.3.7 \ No newline at end of file +5.2.4-Beta1 \ No newline at end of file diff --git a/docs/docs-targetname b/docs/docs-targetname index a29e62721..a67fd130b 100644 --- a/docs/docs-targetname +++ b/docs/docs-targetname @@ -1 +1 @@ -5.2.3.7 \ No newline at end of file +5.2.4-Beta1 \ No newline at end of file diff --git a/docs/images/docs-images-targetname b/docs/images/docs-images-targetname index a29e62721..a67fd130b 100644 --- a/docs/images/docs-images-targetname +++ b/docs/images/docs-images-targetname @@ -1 +1 @@ -5.2.3.7 \ No newline at end of file +5.2.4-Beta1 \ No newline at end of file From 3222a380c38d480b11514b0df78b5f16748c5ebf Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 10 Mar 2020 12:23:00 -0700 Subject: [PATCH 12/14] Update the Starting and Stopping document Signed-off-by: Tom Eastep --- docs/starting_and_stopping_shorewall.xml | 46 +++++++++++++++++++++--- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 05aeaa426..09d475f17 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -26,6 +26,8 @@ 2007 + 2020 + Thomas M. Eastep @@ -201,6 +203,40 @@
+
+ systemd + + As with SysV init described in the preceeding section, the behavior + of systemctl commands differ from the Shorewall CLI commands on + Debian-based systems. To make systemctl stop shorewall[-lite] and + systemctl restart shorewall[-lite] behave like shorewall stop and + shorewall restart, use this workaround provided by J Cliff + Armstrong: + + Type (as root): + + systemctl edit shorewall.service + + This will open the default terminal editor to a blank file in which + you can paste the following: + + [Service] +# reset ExecStop ExecStop= +# set ExecStop to "stop" instead of "clear" +ExecStop=/sbin/shorewall $OPTIONS stop + + Then type + + systemctl daemon-reload + + to activate the changes. This change will survive future updates of + the shorewall package from apt repositories. The override file itself will + be saved to `/etc/systemd/system/shorewall.service.d/`. + + The same workaround may be applied to the other Shorewall products + (excluding Shorewall Init). +
+
Tracing Command Execution and other Debugging Aids @@ -211,7 +247,8 @@ Example: - shorewall trace check -r + shorewall trace check -r # Shorewall versions prior to 5.2.4 +shorewall check -D # Shorewall versions 5.2.4 and later This produces a large amount of diagnostic output to standard out during the compilation step. If the command invokes the compiled firewall @@ -224,10 +261,11 @@ Example: - shorewall debug restart + shorewall debug restart # Shorewall versions prior to 5.2.4 +shorewall -D restart # Shorewall versions 5.2.4 and later - debug causes altered behavior of - scripts generated by the Shorewall compiler. These scripts normally use + debug (-D) causes altered behavior + of scripts generated by the Shorewall compiler. These scripts normally use ip[6]tables-restore to install the Netfilter ruleset, but with debug, the commands normally passed to iptables-restore in its input file are passed individually to ip[6]tables. This is a diagnostic aid which allows From a2e56492df16997cab30ba35b9520c616b9ca763 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 9 Mar 2020 11:44:33 -0700 Subject: [PATCH 13/14] Correct mangle file contents in QOSExample.html Signed-off-by: Tom Eastep --- docs/QOSExample.xml | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/QOSExample.xml b/docs/QOSExample.xml index 034b22c60..c5099f28d 100644 --- a/docs/QOSExample.xml +++ b/docs/QOSExample.xml @@ -20,6 +20,8 @@ 2012 + 2020 + Thomas M. Eastep @@ -295,23 +297,23 @@ ip link set ifb0 up The mangle file classifies upload packets: - #MARK SOURCE DEST PROTO DPORT SPORT USER TEST + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST RESTORE:T - - - - - - !0:C CONTINUE:T - - - - - - !0 -2:T - - icmp -1:T - - udp $UDP_VOIP - - 0 -1:T $IP_VOIP - - - - - 0 -1:T - $IP_VOIP - - - - 0 -2:T - - tcp $TCP_PRIO - - 0 -2:T - - udp $UDP_PRIO - - 0 -2:T - - tcp - $TCP_PRIO - 0 -2:T - - udp - $UDP_PRIO - 0 -3:T - - tcp $TCP_NORMAL - - 0 -4:T - - ipp2p:all - - - 0 -5:T - - tcp $TCP_BULK - - 0 -5:T - - tcp - $TCP_BULK - 0 -5:T - - udp $UDP_BULK - - 0 -5:T - - udp - $UDP_BULK - 0 +MARK(2):T - - icmp +MARK(1):T - - udp $UDP_VOIP - - 0 +MARK(1):T $IP_VOIP - - - - - 0 +MARK(1):T - $IP_VOIP - - - - 0 +MARK(2):T - - tcp $TCP_PRIO - - 0 +MARK(2):T - - udp $UDP_PRIO - - 0 +MARK(2):T - - tcp - $TCP_PRIO - 0 +MARK(2):T - - udp - $UDP_PRIO - 0 +MARK(3):T - - tcp $TCP_NORMAL - - 0 +MARK(4):T - - ipp2p:all - - - 0 +MARK(5):T - - tcp $TCP_BULK - - 0 +MARK(5):T - - tcp - $TCP_BULK - 0 +MARK(5):T - - udp $UDP_BULK - - 0 +MARK(5):T - - udp - $UDP_BULK - 0 SAVE:T - - - - - - !0
From c80462c283c5984ec9cf2ba04125334c6323c1c8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 10 Mar 2020 14:18:26 -0700 Subject: [PATCH 14/14] Update Config File Basics document Signed-off-by: Tom Eastep --- docs/configuration_file_basics.xml | 77 +++++++++++++++++++++--------- 1 file changed, 55 insertions(+), 22 deletions(-) diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 6278073f1..ef5ed593f 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -18,7 +18,7 @@ - 2001-2019 + 2001-2020 Thomas M. Eastep @@ -56,7 +56,7 @@ Shorewall is required reading for being able to use this article effectively. For information about setting up your first Shorewall-based firewall, see the Quickstart - Guides.in + Guides.
@@ -327,6 +327,39 @@ page for that file is 'shorewall.conf': man shorewall.conf + + Parts of this and other articles are also available as + manpages: + + + + shorewall-addresses(5) + + + + shorewall-exclusion(5) + + + + shorewall-files(5) + + + + shorewall-ipsets(5) + + + + shorewall-logging(5) + + + + shorewall-names(5) + + + + shorewall-nesting(5) + +
@@ -534,7 +567,7 @@ ACCEPT net:\ readability as in: - { proto=>udp, port=1024 + { proto=>udp, dport=1024 } @@ -545,13 +578,14 @@ ACCEPT net:\ ; proto:udp, - port:1024 + dport:1024 This form is incompatible with INLINE_MATCHES=Yes. See the INLINE_MATCHES option in shorewall.conf(5). + url="manpages/shorewall.conf.html">shorewall.conf(5), if you + are running a version of Shorewall earlier than 5.0.. @@ -1509,16 +1543,15 @@ SSH(ACCEPT) net:$MYIP $FW     /etc/shorewall/params NET_IF=eth0 - NET_BCAST=130.252.100.255 NET_OPTIONS=routefilter,routefilter     /etc/shorewall/interfaces record: - net $NET_IF $NET_BCAST $NET_OPTIONS + net $NET_IF $NET_OPTIONS     The result will be the same as if the record had been written - net eth0 130.252.100.255 routefilter,routefilter + net eth0 routefilter,routefilter @@ -2193,7 +2226,7 @@ SSH(ACCEPT) net:$MYIP $FW Beginning with Shorewall 4.5.11, the compiler's environmental - variables are search last rather than first. + variables are searched last rather than first. If the variable is still not @@ -2704,9 +2737,10 @@ POP(ACCEPT) loc net:pop.gmail.com
IP Address Ranges - If you kernel and iptables have iprange match support, you may use - IP address ranges in Shorewall configuration file entries; IP address - ranges have the syntax <low IP + If you kernel and iptables have iprange + match support, you may use IP + address ranges in Shorewall configuration file entries; IP address ranges + have the syntax <low IP address>-<high IP address>. Example: 192.168.1.5-192.168.1.12. @@ -2714,16 +2748,15 @@ POP(ACCEPT) loc net:pop.gmail.com the shorewall show capabilities command: >~ shorewall show capabilities -... Shorewall has detected the following iptables/netfilter capabilities: - NAT: Available - Packet Mangling: Available - Multi-port Match: Available - Connection Tracking Match: Available - Packet Type Match: Not available - Policy Match: Available - Physdev Match: Available - IP range Match: Available <-------------- + ACCOUNT Target (ACCOUNT_TARGET): Not available + Address Type Match (ADDRTYPE): Available + Amanda Helper: Available +... + IPMARK Target (IPMARK_TARGET): Not available + IPP2P Match (IPP2P_MATCH): Not available + IP range Match(IPRANGE_MATCH): Available <================
@@ -2860,7 +2893,7 @@ neighbour-solicitation => 135 neighbour-advertisement => 136 redirect => 137 - Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to + Shorewall 4.4 does not accept lists of ICMP (ICMP6) types prior to Shorewall 4.4.19.