holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Bring trunk up to date with branches/4.0/

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7312 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-10 15:52:57 +00:00
parent a06ad0e518
commit 6141995184
54 changed files with 1141 additions and 1274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/README.txt
View File

@ -1 +1 @@
This is the Shorewall-common Development 4.1 branch of SVN.
This is the Shorewall-common Stable 4.0 branch of SVN.

2
Shorewall-common/action.Drop
View File

@ -32,7 +32,7 @@ dropBcast
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid

6
Shorewall-common/action.Reject
View File

@ -16,7 +16,7 @@
###############################################################################
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' REJECT
# Don't log 'auth' -- REJECT
#
Auth/REJECT
#
@ -29,13 +29,13 @@ dropBcast
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
# Reject Microsoft noise so that it doesn't clutter up the lot.
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB/REJECT
DropUPnP

102
Shorewall-common/changelog.txt
View File

@ -1,3 +1,105 @@
Changes in 4.0.4
1) Fix 'refresh' with light-weight shells.
2) Various fixes for proxyarp.
3) Fix 'refresh' run-time error.
4) Cleaner behavior if module-init-tools not installed.
5) Fix [re-]initialization problems in Shorewall::Tc.
6) Make compile-time check for iptables-restore.
Changes in 4.0.3
1) Streamline the checking for builtin chains in the accounting file.
2) Don't try to write/restore /etc/iproute2/rt_tables if it isn't
writable.
3) Allow Shorewall-perl compiler and libraries to be installed
anywhere.
4) Add KEEP_RT_TABLES option.
5) Other provider changes.
6) Fix LOG target in Shorewall-shell.
7) Faster log processing.
8) Tweak handling of CLASSID in process_tc_rule().
9) Restore 3.4 'stop/clear/reset' behavior and make new behavior
optional.
10) Add act_police to modules file.
11) Add 'mss' interface option.
12) Add TCPMSS_MATCH to show capabilities -f.
13) Insure a space between log prefix and IN=.
14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy
15) Add hashlimit match detection.
16) Fix 'add' and 'delete' when interface name contains special char.
17) Fix PREROUTING track fiasco.
18) Add NFQUEUE support.
19) Allow refresh of chains other than 'blacklst'.
20) Allow INCLUDE in run-time extension scripts.
21) Fix zone sort.
Changes in 4.0.2
1) Another ECN fix in Shorewall-perl.
2) Make 'state match' detection in Shorewall-perl quiet.
3) Detect port range in list without XMULTIPORT.
4) Move lockfile handling from 'firewall' to 'shorewall' and lib.cli.
5) Don't detect routed networks and interfaces addresses during
'restore'.
6) Upcase some global variables in the generated script.
7) Remove some 'chain_base' mapping.
8) Eliminate a couple of global variables in the Chains module.
9) Cosmetic change to generated script.
10) Allow tc configuration on bridge ports.
11) Fix add/delete problem when Shorewall-shell is not installed.
12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during
'refresh'.
13) Correct some error messages.
14) Correct calculations involving number of keys in a hash.
15) Load xt_multiport.
16) Apply Günter Niedermeier's patch for multiport.
17) Honor the BROADCAST column when address type match is not
available.
18) Fix accounting.
Changes in 4.0.1
1) Add EXPAND_POLICIES.

3
Shorewall-common/ecn
View File

@ -3,7 +3,8 @@
#
# For information about entries in this file, type "man shorewall-ecn"
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-ecn.html
#
###############################################################################
#INTERFACE HOST(S)

2
Shorewall-common/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.0.3
VERSION=4.0.4
usage() # $1 = exit status
{

45
Shorewall-common/firewall
View File

@ -422,49 +422,14 @@ clear_firewall() {
delete_proxy_arp() {
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
case $COMMAND in
stop|clear)
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
;;
*)
if [ -n "$STOPPING" ]; then
qt arp -i $external -d $address pub
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
else
qt arp -i $external -d $address pub
if [ -z "$haveroute" ];then
[ -n "$NOROUTE" ] || qt ip route del $address dev $interface
fi
fi
;;
esac
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
interface=/proc/sys/net/ipv4/conf/$interface
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
done < ${VARDIR}/proxyarp
rm -f ${VARDIR}/proxyarp
fi
[ -d ${VARDIR} ] && touch ${VARDIR}/proxyarp
case $COMMAND in
stop|clear)
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
;;
*)
if [ -n "$STOPPING" ]; then
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
else
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
fi
;;
esac
rm -f ${VARDIR}/proxyarp
}
#

3
Shorewall-common/hosts
View File

@ -3,7 +3,8 @@
#
# For information about entries in this file, type "man shorewall-hosts"
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-hosts.html
#
###############################################################################
#ZONE HOST(S) OPTIONS

2
Shorewall-common/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.3
VERSION=4.0.4
usage() # $1 = exit status
{

4
Shorewall-common/interfaces
View File

@ -3,8 +3,8 @@
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS

3
Shorewall-common/masq
View File

@ -3,7 +3,8 @@
#
# For information about entries in this file, type "man shorewall-masq"
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK

4
Shorewall-common/modules
View File

@ -9,8 +9,8 @@
# dependency order. i.e., if M2 depends on M1 then you must load M1
# before you load M2.
#
# For additional information, see
# http://shorewall.net/Documentation.htm#modules
# If you need to modify this file, copy it to /etc/shorewall and modify the
# copy.
#
###############################################################################
#

3
Shorewall-common/policy
View File

@ -3,7 +3,8 @@
#
# For information about entries in this file, type "man shorewall-policy"
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST

529
Shorewall-common/releasenotes.txt
View File

@ -1,6 +1,6 @@
Shorewall 4.0.1
Shorewall 4.0 Patch release 4
----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S
R E L E A S E 4 . 0 H I G H L I G H T S
----------------------------------------------------------------------------
1) This is the first Shorewall release that fully integrates the new
Shorewall-perl compiler. See the "New Features" section below.
@ -25,106 +25,47 @@ Shorewall 4.0.1
Shorewall-perl compiler. This support utilizes the reduced-function
physdev match support available in Linux kernel 2.6.20 and later.
Problems corrected in 4.0.1.
Problems Corrected in Shorewall 4.0.4
1) The Shorewall Lite installer was producing an empty shorewall-lite
manpage. Since the installer runs as part of creating the RPM, the
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
packages were re-uploaded with this problem corrected.
1) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the 'start' and 'restart' command fail:
2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
rather than /sbin/shorewall-lite.
ERROR: No filter chain found with name blacklst
3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
uninstaller correctly does "shorewall-lite clear" and both
uninstallers only perform the 'clear' operation if the other
product is not installed. This prevents the removal of one of the
two products from clearing the firewall configuration established
by the other one.
New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.
4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
Shorewall-perl. If the zone type was changed to 'ipsec' or
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
the configuration worked properly.
2) If no interface had the 'blacklist' option, then when using
Shorewall-perl, the generated script would issue this harmless
message during 'shorewall refresh':
5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
Shorewall-perl produced the following:
chainlist_reload: Not found
Compiling...
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
3) If /bin/sh was a light-weight shell such as ash or dash, then
'shorewall refresh' failed.
6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
locating the binary using the PATH environmental variable rather
than the PATH setting in shorewall.conf. If no PATH was available
when Shorewall-perl was run and IPTABLES was not set in
shorewall.conf, the following messages were issued:
4) During start/restart, the script generated by Shorewall-perl is
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.
Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
ERROR: Can't find iptables executable
ERROR: Shorewall restart failed
5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:
7) If the "Mangle FORWARD Chain" capability was supported, entries in
the /etc/shorewall/ecn file would cause invalid iptables commands
to be generated. This problem occurred with both compilers.
ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
8) Shorewall now starts at reboot after an upgrade from shorewall <
4.0.0. Previously, Shorewall was not started automatically at
reboot after an upgrade using the RPM.
6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.
9) Shorewall-perl was generating invalid iptables-restore input when a
log level was specified with the dropBcast and allowBcast builtin
actions and when a log level followed by '!' was used with any
builtin actions.
Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.
10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
time in rate-limiting specifications.
Other Changes in Shorewall 4.0.4
11) Certain errors occurring during
start/restart/safe-start/safe-restart/try processing could cause
the lockfile to be left behind. This resulted in a 60-second delay
the next time one of these commands was run.
Other changes in Shorewall 4.0.1.
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
option is recognized by Shorewall-perl and is ignored by
Shorewall-shell.
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
contains 'all', a single policy chain is created and the policy is
enforced in that chain. For example, if the policy entry is
#SOURCE DEST POLICY LOG
# LEVEL
net all DROP info
then the chain name is 'net2all' which is also the chain named in
Shorewall log messages generated as a result of the policy. If
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
chain for each pair of zones covered by the policy. This makes the
resulting log messages easier to interpret since the chain in the
messages will have a name of the form 'a2b' where 'a' is the SOURCE
zone and 'b' is the DEST zone. See
http://linuxman.wikispaces.com/PPPPPPS for more information.
2) The Shorewall-perl dependency on the "Address Type Match"
capability has been relaxed. This allows Shorewall 4.0.1 to be used
on releases like RHEL4 that don't support that capability.
3) Shorewall-perl now detects dead policy file entries that result
when an entry is masked by an earlier entry. Example:
all all REJECT info
loc net ACCEPT
4) Recent kernels are apparently hard to configure and we have been
seeing a lot of problem reports where the root cause is the lack of
state match support in the kernel. This problem is difficult to
diagnose when using Shorewall-perl so the generated shell program
now checks specifically for this problem and terminates with an
error if the capability doesn't exist.
None.
Migration Considerations:
@ -712,6 +653,7 @@ Migration Considerations:
- Perl File::Basename Module
- Perl File::Temp Module
- Perl Getopt::Long Module
- Perl FindBin Module
------------------------------------------------------------------------
U S I N G T H E N E W C O M P I L E R
------------------------------------------------------------------------
@ -871,6 +813,12 @@ Migration Considerations:
supplimented with a stack trace. Requires the Carp Perl
module.
--refresh=<chainlist>
If given, the compiled script's 'refresh' command will refresh
the chains in the comma-separated <chainlist> rather than
'blacklst'.
Example (compiles the configuration in the current directory
generating a script named 'firewall' and using VERBOSITY
2).
@ -893,7 +841,7 @@ Migration Considerations:
use lib '/usr/share/shorewall-perl';
use Shorewall::Compiler;
compiler $filename, $directory, $verbose, $options
compiler $filename, $directory, $verbose, $options $chains
The arguments to the compiler function are as follows:
@ -913,6 +861,10 @@ Migration Considerations:
EXPORT = 0x01
TIMESTAMP = 0x02
$chains - A comma-separated list of chains that the
generated script's 'refresh' command will
reload.
The compiler raises an exception with 'die' if it encounters an
error; $@ contains the 'ERROR' messages describing the problem.
@ -988,3 +940,400 @@ Migration Considerations:
To use this feature with Shorewall-lite, all packages involved
(compiler, shorewall-common and shorewall-lite) must be version
4.0.0-RC2 or later.
Problems corrected in 4.0.1.
1) The Shorewall Lite installer was producing an empty shorewall-lite
manpage. Since the installer runs as part of creating the RPM, the
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
packages were re-uploaded with this problem corrected.
2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
rather than /sbin/shorewall-lite.
3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
uninstaller correctly does "shorewall-lite clear" and both
uninstallers only perform the 'clear' operation if the other
product is not installed. This prevents the removal of one of the
two products from clearing the firewall configuration established
by the other one.
4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
Shorewall-perl. If the zone type was changed to 'ipsec' or
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
the configuration worked properly.
5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
Shorewall-perl produced the following:
Compiling...
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
locating the binary using the PATH environmental variable rather
than the PATH setting in shorewall.conf. If no PATH was available
when Shorewall-perl was run and IPTABLES was not set in
shorewall.conf, the following messages were issued:
Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
ERROR: Can't find iptables executable
ERROR: Shorewall restart failed
7) If the "Mangle FORWARD Chain" capability was supported, entries in
the /etc/shorewall/ecn file would cause invalid iptables commands
to be generated. This problem occurred with both compilers.
8) Shorewall now starts at reboot after an upgrade from shorewall <
4.0.0. Previously, Shorewall was not started automatically at
reboot after an upgrade using the RPM.
9) Shorewall-perl was generating invalid iptables-restore input when a
log level was specified with the dropBcast and allowBcast builtin
actions and when a log level followed by '!' was used with any
builtin actions.
10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
time in rate-limiting specifications.
11) Certain errors occurring during
start/restart/safe-start/safe-restart/try processing could cause
the lockfile to be left behind. This resulted in a 60-second delay
the next time one of these commands was run.
Other changes in Shorewall 4.0.1.
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
option is recognized by Shorewall-perl and is ignored by
Shorewall-shell.
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
contains 'all', a single policy chain is created and the policy is
enforced in that chain. For example, if the policy entry is
#SOURCE DEST POLICY LOG
# LEVEL
net all DROP info
then the chain name is 'net2all' which is also the chain named in
Shorewall log messages generated as a result of the policy. If
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
chain for each pair of zones covered by the policy. This makes the
resulting log messages easier to interpret since the chain in the
messages will have a name of the form 'a2b' where 'a' is the SOURCE
zone and 'b' is the DEST zone. See
http://linuxman.wikispaces.com/PPPPPPS for more information.
2) The Shorewall-perl dependency on the "Address Type Match"
capability has been relaxed. This allows Shorewall 4.0.1 to be used
on releases like RHEL4 that don't support that capability.
3) Shorewall-perl now detects dead policy file entries that result
when an entry is masked by an earlier entry. Example:
all all REJECT info
loc net ACCEPT
4) Recent kernels are apparently hard to configure and we have been
seeing a lot of problem reports where the root cause is the lack of
state match support in the kernel. This problem is difficult to
diagnose when using Shorewall-perl so the generated shell program
now checks specifically for this problem and terminates with an
error if the capability doesn't exist.
Problems corrected in 4.0.2
1) The Shorewall-perl compiler was still generating invalid
iptables-restore input from entries in /etc/shorewall/ecn.
2) When using Shorewall-perl, unless an interface was specified as
'optional' in the interfaces file, the 'restore' command would
fail if the routes through the interface or the addresses on the
interface could not be detected.
Route detection occurs when the interface is named in the SOURCE
column of the masq file. Address detection occurs when
DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
or REDIRECT rule or when 'maclist' is specified for the interface.
Since the 'restore' command doesn't use the detected information,
detection is now skipped if the command is 'restore'.
3) It was not previously possible to define traffic shaping on a
bridge port; the generated script complained that the
interface was not up and configured.
4) When Shorewall-shell was not installed, certain options in
/etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
'add' and 'delete' commands to fail with a missing library error.
OPTION FILE
maclist interfaces,hosts
proxyarp interfaces
5) The /var/lib/shorewall/zones file was being overwritten during
processing of the 'refresh' command by a script generated with
Shorewall-perl. The result was that hosts previously added to
dynamic zones could not be deleted after the 'refresh'.
6) If the file named as the output file in a Shorewall-perl 'compile'
command was a symbolic link, the generated error message
erroneously stated that the file's parent directory was a symbolic
link.
As part of this change, cosmetic changes were made to a number of
other error messages.
7) Some intra-zone rules were missing when a zone involved multiple
interfaces or when a zone included both IPSEC and non-IPSEC
networks.
8) Shorewall was not previously loading the xt_multiport kernel
module.
9) The Russian and French translations no longer have English headings
on notes, cautions, etc..
10) Previously, using a port list in the DEST PORT(S) column of the
rules file or in an action file could cause an invalid iptables
command to be generated by Shorewall-shell.
11) If there were no bridges in a configuration, Shorewall-perl would
ignore the CHAIN column in /etc/shorewall/accounting.
Other changes in 4.0.2
1) Shorewall-perl now detects when a port range is included in a list
of ports and iptables/kernel support for Extended Multi-port Match
is not available. This avoids an iptables-restore failure at
run-time.
2) Most chains created by Shorewall-shell have names that can be
embedded within shell variable names. This is a workaround for
limitations in the shell programming language which has no
equivalent to Perl hashes. Often chain names must have the name of
a network interface encoded in them. Given that interface names can
contain characters that are invalid in a shell variable name,
Shorewall-shell performs a name mapping which was carried forward to
Shorewall-perl:
- Trailing '+' is dropped.
- The characters ".", "-", "%' and "@" are translated to "_".
This mapping has been elminated in the 4.0.2 release of Shorewall-
perl. So where before you would see chain "eth0_0_in", you may now
see the same chain named "eth0.0_in". Similarly, a chain previously
named "ppp_fwd" may now be called "ppp+_fwd".
3) Shorewall-perl now uses the contents of the BROADCAST column in
/etc/shorewall/interfaces when the Address Type match capability is
not available.
Problems Corrected in 4.0.3
1) Using the LOG target in the rules file could result in two LOG
rules being generated by Shorewall-shell. Additionally, using an IP
address range in a rule that performed logging could result in an
invalid iptables command.
2) Shorewall now loads the act_police kernel module needed by traffic
shaping.
3) Previously, "shorewall show -f capabilities" and "shorecap" omitted
the "TCPMSS Match" capability. This made it appear to a compiler
using a capabilities file that the TCPMSS Match capability was not
available.
4) Previously, Shorewall would truncate long log prefixes to 29
characters. This resulted in there being no space between the log
prefix and the IN= part of the message.
Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
Beginning with this release, Shorewall will truncate the prefix to
28 bytes and add a trailing space.
Example: fw2net:LOG:HTTPSou IN= OUT=eth0
5) Previously, if:
- FASTACCEPT=No
- The policy from Z1 to Z2 was CONTINUE
- Neither Z1 nor Z2 had parent zones
- There were no Z1->Z2 rules
then connections from Z2->Z1 would fail even if there were
rules/policies allowing them. This has been
corrected.
6) The 'shorewall add' and 'shorewall delete' command would fail when:
- The running configuration was compiled with Shorewall-perl.
- The name of the interface specified in the command contained an
embedded special character such as '.' or '-'.
This problem was the result of the change in Shorewall 4.0.2 that
removed the legacy mapping of interface names when embedding such
names in a Netfilter chain name. To correct the problem, the
pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
5) A bug in Shorewall-shell prevented proper handling of PREROUTING
marks when HIGH_ROUTE_MARKS=No and the track option was specified
in /etc/shorewall/providers.
6) With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
the params file would fail at script execution time with "INCLUDE:
not found". This has been corrected.
7) Shorewall-perl was mis-sorting the zone list when zones were nested
more than one deep.
8) Stale references to http://www.shorewall.net/Documentation.htm have
been removed from the config files (including samples). That URL
has been replaced by the online manpages.
Other Changes in 4.0.3
1) A script generated by Shorewall-perl now tries to modify/restore
/etc/iproute2/rt_tables only if the file is writable. This prevents
run-time errors when /etc is mounted read-only.
A new KEEP_RT_TABLES option has been added to shorewall.conf. When
set to Yes, this option prevents Shorewall from altering the
/etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
recognized by Shorewall-perl and is ignored by Shorewall-shell.
2) Shorewall-perl now requires the FindBin Perl module.
3) When an optional provider is not available, a script generated by
Shorewall-perl will no longer add the corresponding
routing rules.
4) A new 'isusable' extension script has been added. This script
allows you to extend the availability test that Shorewall performs
on optional providers.
Here's an example that uses ping to ensure that the default
gateways through eth0 and eth1 are reachable:
case $1 in
eth0)
ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
return
;;
eth1)
ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
return
;;
*)
# Assume we don't need to do any additional testing
# for this interface beyond Shorewall's
return 0
;;
esac
Additional information is available at
http://www.shorewall.net/shorewall_extension_scripts.htm.
5) Processing of the message log in the 'show log', 'logwatch' and
'dump' commands has been speeded up thanks to a suggestion by
Andrew Suffield.
6) Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
commands were processed by the generated script from the
last successful 'start', 'restart' or 'refresh' command. This had
the side effect that updates to the /etc/shorewall/routestopped
file did not take effect until one of those three commands was
successfully processed.
Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
the default and the 4.0 behavior is enabled using the '-f' command
option.
Example: shorewall stop -f
7) An 'mss' option has been added to the interfaces file. This option
is only recognized by Shorewall-perl and causes Shorewall to set
the MSS field in forwarded TCP SYN packets going in or out the
interface to the value that you specify.
Example:
#ZONE INTERFACE BROADCAST OPTIONS
vpn ppp0 - mss=1400
The mss option only affects incoming traffic that has not been
decrypted by IPSEC and outgoing traffic that will not subsequently
be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
'mss' option in /etc/shorewall/zones.
8) Shorewall now detects the presence of the 'hashlimit match'
capability. There is no builtin support yet for hashlimit but
detection allows extension scripts for user-supplied actions to
determine if the capability exists.
With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
capability exists.
With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
a boolean context if the capability exists. Shorewall-perl users
may also code the following in their extension script:
use Shorewall::Config;
require_capability( 'HASHLIMIT_MATCH', #Capability
'My hashlimit action' , #Feature requiring
#capability
's' ); #Feature is singular
#(if plural, pass the
empty string)
That call would procduce the following fatal error if the
capability isn't available:
ERROR: My hashlimit action requires the Hashlimit match capability
in your kernel and iptables
9) NFQUEUE support has been added to Shorewall-perl.
NFQUEUE may appear in actions, macros, rules and as a policy.
When NFQUEUE is used by itself, queue number zero is assumed. To
specify a queue number, follow NFQUEUE by a slash ("/") and the
queue number.
Examples (/etc/shorewall/rules):
NFQUEUE loc net tcp #Queue number 0
NFQUEUE/22 loc net udp #Queue number 22
NFQUEUE/22:info loc net gre #With logging
An NFQUEUE_DEFAULT option has been added to shorewall.conf for
specifying the default action to use with NFQUEUE policies.
Use of NFQUEUE requires the NFQUEUE Target capability in your
kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
then you must install Shorewall-lite 4.0.3 in order to build a
capabilities file that includes NFQUEUE Target. If your
capabilities file was generated by a Shorewall/Shorewall-lite
version earlier that 4.0.3, you will receive a warning during
compilation.
10) The 'refresh' command can now refresh chains other than 'blacklst'.
The syntax of the command is now:
shorewall refresh [ <chain> ... ]
If no <chain> is given then 'blacklst' is assumed. Otherwise, the
Shorewall-perl compiler compiles a script whose 'refresh' command
refreshes the listed <chain>(s).
The listed chains are assumed to be in the filter table. You can
refresh chains in other tables by prefixing the chain name with the
table name followed by ":" (e.g., nat:net_dnat). Chain names which
follow are assumed to be in that table until the end of the list or
until an entry in the list names another table.
This feature requires Shorewall-perl 4.0.3 as well as
Shorewall-common 4.0.3.

6
Shorewall-common/routestopped
View File

@ -3,8 +3,10 @@
#
# For information about entries in this file, type "man shorewall-routestopped"
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-routestopped.html
#
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################

3
Shorewall-common/rules
View File

@ -3,7 +3,8 @@
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://shorewall.net/Documentation.htm#Rules for additional information.
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
############################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK

39
Shorewall-common/shorewall
View File

@ -180,15 +180,6 @@ get_config() {
export IPTABLES
#
# See if we have a real version of "tail" -- use separate redirection so
# that ash (aka /bin/sh on LRP) doesn't crap
#
if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
realtail="Yes"
else
realtail=""
fi
#
# Compile by non-root needs no restore file
#
@ -340,10 +331,11 @@ compiler() {
shift
options="--verbose $VERBOSE ";
[ -n "$EXPORT" ] && options="$options --export ";
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR ";
[ -n "$TIMESTAMP" ] && options="$options --timestamp " ;
[ -n "$debugging" ] && options="$options --debug " ;
[ -n "$EXPORT" ] && options="$options --export "
[ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "
[ -n "$TIMESTAMP" ] && options="$options --timestamp "
[ -n "$debugging" ] && options="$options --debug "
[ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS"
[ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed"
#
# Run the appropriate params file
@ -358,6 +350,7 @@ compiler() {
;;
shell)
[ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed"
[ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains"
$command $SHOREWALL_SHELL $sc $@
;;
*)
@ -779,13 +772,15 @@ refresh_command() {
esac
done
case $# in
0)
;;
*)
usage 1
;;
esac
if [ $# -gt 0 ]; then
REFRESHCHAINS=$1
shift
while [ $# -gt 0 ]; do
REFRESHCHAINS="$REFRESHCHAINS,$1"
shift
done
fi
shorewall_is_started || fatal_error "Shorewall is not running"
@ -1298,7 +1293,7 @@ usage() # $1 = exit status
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
echo " refresh [ -C {shell|perl} ]"
echo " refresh [ -C {shell|perl} ] [ <chain>... ]"
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -C {shell|perl} ] [ <directory> ] <system>"
echo " reset"
@ -1483,7 +1478,7 @@ export PRODUCT="Shorewall"
FIREWALL=$SHAREDIR/firewall
LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
VERSION_FILE=$SHAREDIR/version
HELP=$SHAREDIR/help
REFRESHCHAINS=
for library in $LIBRARIES; do
if [ -f $library ]; then

4
Shorewall-common/shorewall-common.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-common
%define version 4.0.3
%define version 4.0.4
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -240,6 +240,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net

4
Shorewall-common/tunnels
View File

@ -3,8 +3,8 @@
#
# For information about entries in this file, type "man shorewall-tunnels"
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional
# information.
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-tunnels.html
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY

2
Shorewall-common/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.3
VERSION=4.0.4
usage() # $1 = exit status
{

3
Shorewall-common/zones
View File

@ -3,7 +3,8 @@
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT

2
Shorewall-lite/README.txt
View File

@ -1 +1 @@
This is the Shorewall-lite Development 4.1 branch of SVN.
This is the Shorewall-lite Stable 4.0 branch of SVN.

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.0.2
VERSION=4.0.4
usage() # $1 = exit status
{

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.2
VERSION=4.0.4
usage() # $1 = exit status
{

4
Shorewall-lite/shorewall-lite
View File

@ -93,9 +93,9 @@ get_config() {
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
LOGREAD="logread"
LOGREAD="logread | tac"
elif [ -f $LOGFILE ]; then
LOGREAD="cat $LOGFILE"
LOGREAD="tac $LOGFILE"
else
echo "LOGFILE ($LOGFILE) does not exist!" >&2
exit 2

6
Shorewall-lite/shorewall-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-lite
%define version 4.0.2
%define version 4.0.4
%define release 1
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.2-1
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.2
VERSION=4.0.4
usage() # $1 = exit status
{

2
Shorewall-perl/README.txt
View File

@ -1,2 +1,2 @@
This is the Shorewall-perl Development 4.1 branch of SVN.
This is the Shorewall-perl Stable 4.0 branch of SVN.

14
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
our $VERSION = 4.01;
our $VERSION = '4.03';
#
# Initialize globals -- we take this novel approach to globals initialization to allow
@ -70,7 +70,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
}
sub accounting_error() {
warning_message "Invalid Accounting rule";
fatal_error "Invalid Accounting rule";
}
sub jump_to_chain( $ ) {
@ -112,8 +112,10 @@ sub process_accounting_rule( $$$$$$$$$ ) {
$source = ALLIPv4 if $source eq 'any' || $source eq 'all';
if ( @bridges ) {
if ( $source =~ /^$firewall_zone:?(.*)$/ ) {
if ( have_bridges ) {
my $fw = firewall_zone;
if ( $source =~ /^$fw:?(.*)$/ ) {
$source = $1 ? $1 : ALLIPv4;
$restriction = OUTPUT_RESTRICT;
$chain = 'accountout' unless $chain and $chain ne '-';
@ -192,9 +194,9 @@ sub setup_accounting() {
}
}
$comment = '';
clear_comment;
if ( @bridges ) {
if ( have_bridges ) {
if ( $filter_table->{accounting} ) {
for my $chain ( qw/INPUT FORWARD/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting';

4
Shorewall-perl/Shorewall/Actions.pm
View File

@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
%macros
);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.03;
our $VERSION = '4.03';
#
# Used Actions. Each action that is actually used has an entry with value 1.
@ -651,7 +651,7 @@ sub process_action3( $$$$$ ) {
}
}
$comment = '';
clear_comment;
}
sub process_actions3 () {

161
Shorewall-perl/Shorewall/Chains.pm
View File

@ -53,6 +53,7 @@ our @EXPORT = qw( STANDARD
ALL_RESTRICT
process_comment
clear_comment
incr_cmd_level
decr_cmd_level
add_command
@ -61,7 +62,6 @@ our @EXPORT = qw( STANDARD
add_file
add_rule
insert_rule
insert_rule_nice
chain_base
forward_chain
input_chain
@ -116,26 +116,22 @@ our @EXPORT = qw( STANDARD
get_interface_bcasts
set_global_variables
create_netfilter_load
create_blacklist_reload
create_chainlist_reload
@policy_chains
%chain_table
$nat_table
$mangle_table
$filter_table
$section
%sections
$comment
%targets
);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.03;
our $VERSION = '4.04';
#
# Chain Table
#
# @policy_chains is a list of references to policy chains in the filter table
#
# %chain_table { <table> => { <chain1> => { name => <chain name>
# table => <table name>
# is_policy => 0|1
@ -166,7 +162,6 @@ our $VERSION = 4.03;
#
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
#
our @policy_chains;
our %chain_table;
our $nat_table;
our $mangle_table;
@ -234,7 +229,6 @@ our $mode;
#
sub initialize() {
@policy_chains = ();
%chain_table = ( raw => {} ,
mangle => {},
nat => {},
@ -335,6 +329,14 @@ sub process_comment() {
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
}
}
#
# Clear the $comment variable
#
sub clear_comment() {
$comment = '';
}
#
# Functions to manipulate cmdlevel
#
@ -731,8 +733,8 @@ sub finish_section ( $ ) {
$sections{$section} = 1;
}
for my $zone ( @zones ) {
for my $zone1 ( @zones ) {
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections;
@ -760,7 +762,7 @@ sub set_mss1( $$ ) {
sub set_mss( $$$ ) {
my ( $zone, $mss, $direction) = @_;
for my $z ( @zones ) {
for my $z ( all_zones ) {
if ( $direction eq '_in' ) {
set_mss1 "${zone}2${z}" , $mss;
} elsif ( $direction eq '_out' ) {
@ -776,8 +778,8 @@ sub set_mss( $$$ ) {
# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate.
#
sub setup_zone_mss() {
for my $zone ( @zones ) {
my $zoneref = $zones{$zone};
for my $zone ( all_zones ) {
my $zoneref = find_zone( $zone );
set_mss( $zone, $zoneref->{options}{in_out}{mss}, '' ) if $zoneref->{options}{in_out}{mss};
set_mss( $zone, $zoneref->{options}{in}{mss}, '_in' ) if $zoneref->{options}{in}{mss};
@ -1104,7 +1106,7 @@ sub do_tos( $ ) {
#
sub match_source_dev( $ ) {
my $interface = shift;
my $interfaceref = $interfaces{$interface};
my $interfaceref = find_interface( $interface );
if ( $interfaceref && $interfaceref->{options}{port} ) {
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
} else {
@ -1117,7 +1119,7 @@ sub match_source_dev( $ ) {
#
sub match_dest_dev( $ ) {
my $interface = shift;
my $interfaceref = $interfaces{$interface};
my $interfaceref = find_interface( $interface );
if ( $interfaceref && $interfaceref->{options}{port} ) {
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
} else {
@ -1240,7 +1242,7 @@ sub match_orig_dest ( $ ) {
sub match_ipsec_in( $$ ) {
my ( $zone , $hostref ) = @_;
my $match = '-m policy --dir in --pol ';
my $zoneref = $zones{$zone};
my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec4' ) {
@ -1258,7 +1260,7 @@ sub match_ipsec_in( $$ ) {
sub match_ipsec_out( $$ ) {
my ( $zone , $hostref ) = @_;
my $match = '-m policy --dir out --pol ';
my $zoneref = $zones{$zone};
my $zoneref = find_zone( $zone );
my $optionsref = $zoneref->{options};
if ( $zoneref->{type} eq 'ipsec4' ) {
@ -1537,7 +1539,7 @@ sub expand_rule( $$$$$$$$$$ )
incr_cmd_level $chainref;
} else {
fatal_error "Source Interface ($iiface) not allowed when the source zone is $firewall_zone" if $restriction & OUTPUT_RESTRICT;
fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT;
$rule .= match_source_dev( $iiface );
}
}
@ -1598,7 +1600,7 @@ sub expand_rule( $$$$$$$$$$ )
incr_cmd_level $chainref;
} else {
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT;
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
if ( $iiface ) {
my $bridge = port_to_bridge( $diface );
@ -2013,52 +2015,109 @@ sub create_netfilter_load() {
}
#
# Generate the netfilter input for refreshing the blacklist
# Generate the netfilter input for refreshing a list of chains
#
sub create_blacklist_reload() {
sub create_chainlist_reload($) {
my $chains = $_[0];
my @chains = split ',', $chains;
unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst};
}
$mode = NULL_MODE;
emit( 'blacklist_reload()',
emit( 'chainlist_reload()',
'{'
);
push_indent;
save_progress_message "Preparing iptables-restore input...";
if ( @chains ) {
if ( @chains == 1 ) {
progress_message2 "Compiling iptables-restore input for chain @chains...";
save_progress_message "Preparing iptables-restore input for chain @chains...";
} else {
progress_message2 "Compiling iptables-restore input for chain $chains...";
save_progress_message "Preparing iptables-restore input for chains $chains...";
}
emit '';
emit '';
emit 'exec 3>${VARDIR}/.iptables-restore-input';
emit 'exec 3>${VARDIR}/.iptables-restore-input';
enter_cat_mode;
enter_cat_mode;
emit_unindented '*filter';
emit_unindented ':blacklst - [0:0]';
#
# Emit the Blacklist rules
#
emitr $_ for ( @{$filter_table->{blacklst}{rules}} );
#
# Commit the changes to the table
#
enter_cat_mode unless $mode == CAT_MODE;
my $table = 'filter';
emit_unindented 'COMMIT';
my %chains;
enter_cmd_mode;
#
# Now generate the actual iptables-restore command
#
emit( 'exec 3>&-',
'',
'progress_message2 "Running iptables-restore..."',
'',
'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
'if [ $? != 0 ]; then',
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
"fi\n"
);
for my $chain ( @chains ) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain};
$chains{$table} = [] unless $chains{$table};
push @{$chains{$table}}, $chain;
}
for $table qw(nat mangle filter) {
next unless $chains{$table};
emit_unindented "*$table";
my $tableref=$chain_table{$table};
@chains = sort @{$chains{$table}};
for my $chain ( @chains ) {
my $chainref = $tableref->{$chain};
emit_unindented ":$chainref->{name} $chainref->{policy} [0:0]" if $chainref->{builtin};
}
for my $chain ( @chains ) {
my $chainref = $tableref->{$chain};
emit_unindented ":$chainref->{name} - [0:0]" unless $chainref->{builtin};
}
for my $chain ( @chains ) {
my $chainref = $tableref->{$chain};
my @rules = @{$chainref->{rules}};
@rules = () unless @rules;
#
# Emit the chain rules
#
emitr $_ for ( @rules );
}
#
# Commit the changes to the table
#
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented 'COMMIT';
}
enter_cmd_mode;
#
# Now generate the actual iptables-restore command
#
emit( 'exec 3>&-',
'',
'progress_message2 "Running iptables-restore..."',
'',
'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE -n # Use this nonsensical form to appease SELinux',
'if [ $? != 0 ]; then',
' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
"fi\n"
);
} else {
emit('true');
}
pop_indent;

34
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
our @EXPORT_OK = qw( $export );
our $VERSION = 4.03;
our $VERSION = '4.04';
our $export;
@ -58,6 +58,7 @@ sub reinitialize() {
Shorewall::Config::initialize;
Shorewall::Chains::initialize;
Shorewall::Zones::initialize;
Shorewall::Policy::initialize;
Shorewall::Nat::initialize;
Shorewall::Providers::initialize;
Shorewall::Tc::initialize;
@ -138,17 +139,16 @@ sub generate_script_1() {
'[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"',
qq(VERSION="$globals{VERSION}") ,
qq(PATH="$config{PATH}") ,
'TERMINATOR=fatal_error'
'TERMINATOR=fatal_error' ,
''
);
if ( $config{IPTABLES} ) {
emit( qq(IPTABLES="$config{IPTABLES}"),
'',
'[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
);
} else {
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables 2> /dev/null)',
'',
emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
'[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
);
}
@ -328,11 +328,9 @@ EOF
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
interface=/proc/sys/net/ipv4/conf/$interface
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
done < ${VARDIR}/proxyarp
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
fi
rm -f ${VARDIR}/proxyarp
@ -596,7 +594,7 @@ sub generate_script_2 () {
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
# than those related to writing to the object file.
#
sub generate_script_3() {
sub generate_script_3($) {
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp;
@ -629,7 +627,7 @@ sub generate_script_3() {
progress_message2 "Creating iptables-restore input...";
create_netfilter_load;
create_blacklist_reload;
create_chainlist_reload( $_[0] );
emit "#\n# Start/Restart the Firewall\n#";
emit 'define_firewall() {';
@ -647,14 +645,14 @@ setup_routing_and_traffic_shaping
if [ $COMMAND = restore ]; then
iptables_save_file=${VARDIR}/$(basename $0)-iptables
if [ -f $iptables_save_file ]; then
iptables-restore < $iptables_save_file
cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux
else
fatal_error "$iptables_save_file does not exist"
fi
set_state "Started"
else
if [ $COMMAND = refresh ]; then
blacklist_reload
chainlist_reload
run_refreshed_exit
$IPTABLES -N shorewall
set_state "Started"
@ -701,9 +699,9 @@ EOF
# If the first argument is non-null, it names the script file to generate.
# Otherwise, this is a 'check' command and no script is produced.
#
sub compiler( $$$$ ) {
sub compiler( $$$$$ ) {
my ( $objectfile, $directory, $verbosity, $options ) = @_;
my ( $objectfile, $directory, $verbosity, $options , $chains ) = @_;
$export = 0;
@ -723,7 +721,7 @@ sub compiler( $$$$ ) {
#
get_configuration( $export );
report_capabilities if $verbose > 1;
report_capabilities;
require_capability( 'MULTIPORT' , "Shorewall-perl $globals{VERSION}" , 's' );
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
@ -731,7 +729,7 @@ sub compiler( $$$$ ) {
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT};
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
initialize_chain_table;
@ -865,7 +863,7 @@ sub compiler( $$$$ ) {
#
# Finish the script.
#
generate_script_3;
generate_script_3( $chains );
finalize_object ( $export );
#
# And generate the auxilary config file

193
Shorewall-perl/Shorewall/Config.pm
View File

@ -34,10 +34,13 @@ use strict;
use warnings;
use File::Basename;
use File::Temp qw/ tempfile tempdir /;
use Cwd 'abs_path';
use Cwd qw(abs_path getcwd);
use autouse 'Carp' => qw(longmess confess);
our @ISA = qw(Exporter);
#
# Imported variables should be treated as read-only by importers
#
our @EXPORT = qw(
create_temp_object
finalize_object
@ -47,6 +50,7 @@ our @EXPORT = qw(
save_progress_message_short
set_timestamp
set_verbose
set_command
progress_message
progress_message2
progress_message3
@ -55,7 +59,6 @@ our @EXPORT = qw(
copy
create_temp_aux_config
finalize_aux_config
warning_message
fatal_error
set_shorewall_dir
@ -85,15 +88,13 @@ our @EXPORT = qw(
$command
$doing
$done
$verbose
$currentline
%config
%globals
%capabilities );
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
our $VERSION = 4.03;
our $VERSION = '4.04';
#
# describe the current command, it's present progressive, and it's completion.
@ -147,7 +148,38 @@ our %capabilities;
#
# Capabilities
#
our %capdesc;
our %capdesc = ( NAT_ENABLED => 'NAT',
MANGLE_ENABLED => 'Packet Mangling',
MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match',
USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match',
LENGTH_MATCH => 'Packet length Match',
IPRANGE_MATCH => 'IP Range Match',
RECENT_MATCH => 'Recent Match',
OWNER_MATCH => 'Owner Match',
IPSET_MATCH => 'Ipset Match',
CONNMARK => 'CONNMARK Target',
XCONNMARK => 'Extended CONNMARK Target',
CONNMARK_MATCH => 'Connmark Match',
XCONNMARK_MATCH => 'Extended Connmark Match',
RAW_TABLE => 'Raw Table',
IPP2P_MATCH => 'IPP2P Match',
CLASSIFY_TARGET => 'CLASSIFY Target',
ENHANCED_REJECT => 'Extended Reject',
KLUDGEFREE => 'Repeat match',
MARK => 'MARK Target',
XMARK => 'Extended Mark Target',
MANGLE_FORWARD => 'Mangle FORWARD Chain',
COMMENTS => 'Comments',
ADDRTYPE => 'Address Type Match',
TCPMSS_MATCH => 'TCPMSS Match',
HASHLIMIT_MATCH => 'Hashlimit Match',
NFQUEUE_TARGET => 'NFQUEUE Target',
CAPVERSION => 'Capability Version',
);
#
# Directories to search for configuration files
#
@ -198,7 +230,7 @@ sub initialize() {
ORIGINAL_POLICY_MATCH => '',
LOGPARMS => '',
TC_SCRIPT => '',
VERSION => '4.0.3',
VERSION => '4.0.4',
CAPVERSION => 40003 ,
);
#
@ -335,41 +367,6 @@ sub initialize() {
CAPVERSION => undef,
);
#
# Capabilities
#
%capdesc = ( NAT_ENABLED => 'NAT',
MANGLE_ENABLED => 'Packet Mangling',
MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match',
USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match',
LENGTH_MATCH => 'Packet length Match',
IPRANGE_MATCH => 'IP Range Match',
RECENT_MATCH => 'Recent Match',
OWNER_MATCH => 'Owner Match',
IPSET_MATCH => 'Ipset Match',
CONNMARK => 'CONNMARK Target',
XCONNMARK => 'Extended CONNMARK Target',
CONNMARK_MATCH => 'Connmark Match',
XCONNMARK_MATCH => 'Extended Connmark Match',
RAW_TABLE => 'Raw Table',
IPP2P_MATCH => 'IPP2P Match',
CLASSIFY_TARGET => 'CLASSIFY Target',
ENHANCED_REJECT => 'Extended Reject',
KLUDGEFREE => 'Repeat match',
MARK => 'MARK Target',
XMARK => 'Extended Mark Target',
MANGLE_FORWARD => 'Mangle FORWARD Chain',
COMMENTS => 'Comments',
ADDRTYPE => 'Address Type Match',
TCPMSS_MATCH => 'TCPMSS Match',
HASHLIMIT_MATCH => 'Hashlimit Match',
NFQUEUE_TARGET => 'NFQUEUE Target',
CAPVERSION => 'Capability Version',
);
#
# Directories to search for configuration files
#
@config_path = ();
@ -401,7 +398,8 @@ INIT {
#
sub warning_message
{
my $currentlineinfo = $currentfile ? " : $currentfilename (line $currentlinenumber)" : '';
my $linenumber = $currentlinenumber || 1;
my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : '';
if ( $debug ) {
print STDERR longmess( " WARNING: @_$currentlineinfo" );
@ -414,7 +412,8 @@ sub warning_message
# Issue fatal error message and die
#
sub fatal_error {
my $currentlineinfo = $currentfile ? " : $currentfilename (line $currentlinenumber)" : '';
my $linenumber = $currentlinenumber || 1;
my $currentlineinfo = $currentfile ? " : $currentfilename (line $linenumber)" : '';
confess " ERROR: @_$currentlineinfo" if $debug;
die " ERROR: @_$currentlineinfo\n";
}
@ -480,12 +479,18 @@ sub set_verbose( $ ) {
$verbose = shift;
}
#
# Set $command, $doing and $done
#
sub set_command( $$$ ) {
($command, $doing, $done) = @_;
}
#
# Print the current TOD to STDOUT.
#
sub timestamp() {
my ($sec, $min, $hr) = ( localtime ) [0,1,2];
printf '%02d:%02d:%02d ', $hr, $min, $sec;
printf '%02d:%02d:%02d ', ( localtime ) [2,1,0];
}
#
@ -649,7 +654,7 @@ sub finalize_aux_config() {
}
#
# Set $globals{CONFIG_PATH}
# Set $config{CONFIG_PATH}
#
sub set_config_path( $ ) {
$config{CONFIG_PATH} = shift;
@ -839,9 +844,12 @@ sub read_a_line() {
while ( $currentfile ) {
$currentline = '';
$currentlinenumber = 0;
while ( <$currentfile> ) {
$currentlinenumber = $. unless $currentlinenumber;
chomp;
#
# Continuation
@ -856,7 +864,6 @@ sub read_a_line() {
#
$currentline = '', next if $currentline =~ /^\s*$/;
$currentlinenumber = $.;
#
# Expand Shell Variables using %ENV
#
@ -883,6 +890,8 @@ sub read_a_line() {
push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
$currentfile = undef;
do_open_file $filename;
} else {
$currentlinenumber = 0;
}
$currentline = '';
@ -1026,17 +1035,19 @@ sub report_capabilities() {
}
}
print "Shorewall has detected the following capabilities:\n";
if ( $verbose > 1 ) {
print "Shorewall has detected the following capabilities:\n";
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
report_capability $cap;
for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
report_capability $cap;
}
}
}
#
# Search the current PATH for the passed executable
#
sub mywhich( $ ) {
sub which( $ ) {
my $prog = $_[0];
for my $dir ( split /:/, $config{PATH} ) {
@ -1050,7 +1061,7 @@ sub mywhich( $ ) {
# Load the kernel modules defined in the 'modules' file.
#
sub load_kernel_modules( ) {
my $moduleloader = mywhich 'modprobe' ? 'modprobe' : 'insmod';
my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
my $modulesdir = $config{MODULESDIR};
@ -1063,7 +1074,7 @@ sub load_kernel_modules( ) {
my @moduledirectories = split /:/, $modulesdir;
if ( @moduledirectories && open_file 'modules' ) {
if ( $moduleloader && open_file 'modules' ) {
my %loadedmodules;
progress_message "Loading Modules...";
@ -1114,9 +1125,9 @@ sub qt( $ ) {
#
# Determine which optional facilities are supported by iptables/netfilter
#
sub determine_capabilities() {
sub determine_capabilities( $ ) {
my $iptables = $config{IPTABLES};
my $iptables = $_[0];
my $pid = $$;
my $sillyname = "fooX$pid";
@ -1173,7 +1184,7 @@ sub determine_capabilities() {
$capabilities{RAW_TABLE} = qt( "$iptables -t raw -L -n" );
if ( mywhich 'ipset' ) {
if ( which 'ipset' ) {
qt( "ipset -X $sillyname" );
if ( qt( "ipset -N $sillyname iphash" ) ) {
@ -1243,8 +1254,10 @@ sub ensure_config_path() {
}
if ( $shorewall_dir ) {
$shorewall_dir = getcwd if $shorewall_dir =~ m|(\./*)+|;
$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
$config{CONFIG_PATH} = join ':', @config_path;
}
}
@ -1287,32 +1300,10 @@ sub process_shorewall_conf() {
}
}
sub get_capabilities( $ ) {
my $export = $_[0];
if ( ! $export && $> == 0 ) { # $> == $EUID
unless ( $config{IPTABLES} ) {
fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables';
} else {
fatal_error "\$IPTABLES=$config{IPTABLES} does not exist or is not executable" unless -x $config{IPTABLES};
}
load_kernel_modules;
unless ( open_file 'capabilities' ) {
determine_capabilities;
}
} else {
unless ( open_file 'capabilities' ) {
fatal_error "The -e flag requires a capabilities file" if $export;
fatal_error "Compiling under non-root uid requires a capabilities file";
}
}
#
# If we successfully called open_file above, then this loop will read the capabilities file.
# Otherwise, the first call to read_a_line() below will return false
#
#
# Process the records in the capabilities file
#
sub read_capabilities() {
while ( read_a_line1 ) {
if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
my ($var, $val) = ($1, $2);
@ -1334,6 +1325,42 @@ sub get_capabilities( $ ) {
}
}
#
# Get the system's capabilities, either by probing or by reading a capabilities file
#
sub get_capabilities( $ ) {
my $export = $_[0];
if ( ! $export && $> == 0 ) { # $> == $EUID
my $iptables = $config{IPTABLES};
if ( $iptables ) {
fatal_error "IPTABLES=$iptables does not exist or is not executable" unless -x $iptables;
} else {
fatal_error "Can't find iptables executable" unless $iptables = which 'iptables';
}
my $iptables_restore=$iptables . '-restore';
fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
load_kernel_modules;
if ( open_file 'capabilities' ) {
read_capabilities;
} else {
determine_capabilities $iptables;
}
} else {
unless ( open_file 'capabilities' ) {
fatal_error "The -e compiler option requires a capabilities file" if $export;
fatal_error "Compiling under non-root uid requires a capabilities file";
}
read_capabilities;
}
}
#
# - Read the shorewall.conf file
# - Read the capabilities file, if any

2
Shorewall-perl/Shorewall/FallbackPorts.pm
View File

@ -33,7 +33,7 @@ use warnings;
our @ISA = qw(Exporter);
our @EXPORT = qw( %protocols %services );
our @EXPORT_OK = qw();
our $VERSION = 4.00;
our $VERSION = '4.00';
our %protocols = (
ip => 0,

15
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -36,12 +36,11 @@ our @EXPORT = qw( ALLIPv4
validate_host
validate_range
ip_range_explicit
@allipv4
@rfc1918_networks
allipv4
rfc1918_neworks
);
our @EXPORT_OK = qw( );
our $VERSION = 4.03;
our $VERSION = '4.03';
#
# Some IPv4 useful stuff
@ -161,4 +160,12 @@ sub validate_host( $ ) {
}
}
sub allipv4() {
@allipv4;
}
sub rfc1918_networks() {
@rfc1918_networks
}
1;

8
Shorewall-perl/Shorewall/Nat.pm
View File

@ -36,7 +36,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
our @EXPORT_OK = ();
our $VERSION = 4.03;
our $VERSION = '4.03';
our @addresses_to_add;
our %addresses_to_add;
@ -169,7 +169,7 @@ sub setup_one_masq($$$$$$$)
#
( my $interface = $fullinterface ) =~ s/:.*//;
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
#
@ -305,7 +305,7 @@ sub setup_masq()
}
}
$comment = '';
clear_comment;
}
@ -417,7 +417,7 @@ sub setup_nat() {
}
$comment = '';
clear_comment;
}
#

100
Shorewall-perl/Shorewall/Policy.pm
View File

@ -34,7 +34,28 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( );
our $VERSION = 4.03;
our $VERSION = '4.03';
# @policy_chains is a list of references to policy chains in the filter table
our @policy_chains;
#
# Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The
# initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function.
#
sub initialize() {
@policy_chains = ();
}
INIT {
initialize;
}
#
# Convert a chain into a policy chain.
@ -104,20 +125,36 @@ sub set_policy_chain($$$$$)
#
# Process the policy file
#
use constant { OPTIONAL => 1 };
sub add_or_modify_policy_chain( $$ ) {
my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain};
if ( $chainref ) {
unless( $chainref->{is_policy} ) {
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
push @policy_chains, $chainref;
}
} else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
}
}
sub print_policy($$$$) {
my ( $source, $dest, $policy , $chain ) = @_;
unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
if ( $policy eq 'CONTINUE' ) {
my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) );
warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
}
progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
}
}
sub validate_policy()
{
sub print_policy($$$$)
{
my ( $source, $dest, $policy , $chain ) = @_;
unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
if ( $policy eq 'CONTINUE' ) {
my ( $sourceref, $destref ) = @zones{$source,$dest};
warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
}
progress_message " Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
}
}
my %validpolicies = (
ACCEPT => undef,
REJECT => undef,
@ -136,8 +173,6 @@ sub validate_policy()
my $zone;
use constant { OPTIONAL => 1 };
for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
my $action = $config{$option};
next if $action eq 'none';
@ -157,14 +192,15 @@ sub validate_policy()
$default_actions{$map{$option}} = $action;
}
for $zone ( @zones ) {
for $zone ( all_zones ) {
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
if ( $config{IMPLICIT_CONTINUE} && ( @{$zones{$zone}{parents}} ) ) {
for my $zone1 ( @zones ) {
next if $zone eq $zone1;
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
push @policy_chains, ( new_policy_chain $zone1, $zone, 'CONTINUE', OPTIONAL );
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
for my $zone1 ( all_zones ) {
unless( $zone eq $zone1 ) {
add_or_modify_policy_chain( $zone, $zone1 );
add_or_modify_policy_chain( $zone1, $zone );
}
}
}
}
@ -187,11 +223,11 @@ sub validate_policy()
my $clientwild = ( "\L$client" eq 'all' );
fatal_error "Undefined zone $client" unless $clientwild || $zones{$client};
fatal_error "Undefined zone $client" unless $clientwild || defined_zone( $client );
my $serverwild = ( "\L$server" eq 'all' );
fatal_error "Undefined zone $server" unless $serverwild || $zones{$server};
fatal_error "Undefined zone $server" unless $serverwild || defined_zone( $server );
( $policy , my ( $default, $remainder ) ) = split( /:/, $policy, 3 );
@ -230,13 +266,13 @@ sub validate_policy()
fatal_error "NONE policy not allowed with \"all\""
if $clientwild || $serverwild;
fatal_error "NONE policy not allowed to/from firewall zone"
if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' );
if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' );
}
unless ( $clientwild || $serverwild ) {
if ( $zones{$server}{type} eq 'bport4' ) {
if ( zone_type( $server ) eq 'bport4' ) {
fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge};
unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
}
}
@ -275,20 +311,20 @@ sub validate_policy()
if ( $clientwild ) {
if ( $serverwild ) {
for my $zone ( @zones , 'all' ) {
for my $zone1 ( @zones , 'all' ) {
for my $zone ( all_zones , 'all' ) {
for my $zone1 ( all_zones , 'all' ) {
set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
print_policy $zone, $zone1, $policy, $chain;
}
}
} else {
for my $zone ( @zones ) {
for my $zone ( all_zones ) {
set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
print_policy $zone, $server, $policy, $chain;
}
}
} elsif ( $serverwild ) {
for my $zone ( @zones , 'all' ) {
for my $zone ( all_zones , 'all' ) {
set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
print_policy $client, $zone, $policy, $chain;
}
@ -382,8 +418,8 @@ sub apply_policy_rules() {
}
}
for my $zone ( @zones ) {
for my $zone1 ( @zones ) {
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
my $chainref = $filter_table->{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) {

2
Shorewall-perl/Shorewall/Proc.pm
View File

@ -42,7 +42,7 @@ our @EXPORT = qw(
setup_forwarding
);
our @EXPORT_OK = qw( );
our $VERSION = 4.01;
our $VERSION = '4.01';
#
# ARP Filtering

2
Shorewall-perl/Shorewall/Providers.pm
View File

@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.03;
our $VERSION = '4.03';
use constant { LOCAL_NUMBER => 255,
MAIN_NUMBER => 254,

2
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -35,7 +35,7 @@ our @EXPORT = qw(
);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.01;
our $VERSION = '4.01';
our @proxyarp;

110
Shorewall-perl/Shorewall/Rules.pm
View File

@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
dump_rule_chains
);
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = 4.03;
our $VERSION = '4.03';
#
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@ -125,7 +125,7 @@ sub process_tos() {
fatal_error "Invalid SOURCE" if defined $remainder;
if ( $srczone eq $firewall_zone ) {
if ( $srczone eq firewall_zone ) {
$chainref = $outtosref;
$src = $source || '-';
$restriction = OUTPUT_RESTRICT;
@ -519,7 +519,7 @@ sub add_common_rules() {
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for $interface ( @interfaces ) {
for $interface ( all_interfaces ) {
for $chain ( @{first_chains $interface} ) {
add_rule new_standard_chain( $chain ) , "$state -j dynamic";
}
@ -593,7 +593,7 @@ sub add_common_rules() {
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
}
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{bridge};
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
}
}
@ -649,7 +649,7 @@ sub add_common_rules() {
}
if ( $config{DYNAMIC_ZONES} ) {
for $interface ( @interfaces) {
for $interface ( all_interfaces ) {
for $chain ( @{dynamic_chains $interface} ) {
new_standard_chain $chain;
}
@ -713,7 +713,7 @@ sub setup_mac_lists( $ ) {
my $chainref = new_chain $table , mac_chain $interface;
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp};
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
if ( $ttl ) {
my $chain1ref = new_chain $table, macrecent_target $interface;
@ -782,7 +782,7 @@ sub setup_mac_lists( $ ) {
}
}
$comment = '';
clear_comment;
#
# Generate jumps from the input and forward chains
#
@ -806,7 +806,7 @@ sub setup_mac_lists( $ ) {
my $chain = $chainref->{name};
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
my $variable = get_interface_addresses $interfaces{$interface}{bridge};
my $variable = get_interface_addresses source_port_to_bridge( $interface );
if ( $capabilities{ADDRTYPE} ) {
add_commands( $chainref,
@ -815,8 +815,8 @@ sub setup_mac_lists( $ ) {
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
'done' );
} else {
my $bridge = $interfaces{$interface}{bridge};
my $bridgeref = $interfaces{$bridge};
my $bridge = source_port_to_bridge( $interface );
my $bridgeref = find_interface( $bridge );
add_commands( $chainref,
"for address in $variable; do" );
@ -1001,9 +1001,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
if ( $actiontype & REDIRECT ) {
if ( $dest eq '-' ) {
$dest = "$firewall_zone";
$dest = "firewall_zone";
} else {
$dest = join( '', $firewall_zone, '::', $dest );
$dest = join( '', firewall_zone, '::', $dest );
}
} elsif ( $action eq 'REJECT' ) {
$action = 'reject';
@ -1017,6 +1017,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
my $sourcezone;
my $destzone;
my $sourceref;
my $destref;
if ( $source =~ /^(.+?):(.*)/ ) {
$sourcezone = $1;
@ -1035,22 +1037,22 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
}
fatal_error "Missing source zone" if $sourcezone eq '-';
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error "Missing destination zone" if $destzone eq '-';
fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone};
fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
my $restriction = NO_RESTRICT;
if ( $sourcezone eq $firewall_zone ) {
$restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
if ( $sourcezone eq firewall_zone ) {
$restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
} else {
$restriction = INPUT_RESTRICT if $destzone eq $firewall_zone;
$restriction = INPUT_RESTRICT if $destzone eq firewall_zone;
}
#
# Check for illegal bridge port rule
#
if ( $zones{$destzone}->{type} eq 'bport4' ) {
unless ( $zones{$sourcezone}{bridge} eq $zones{$destzone}{bridge} || single_interface( $sourcezone ) eq $zones{$destzone}{bridge} ) {
if ( $destref->{type} eq 'bport4' ) {
unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
return 1 if $wildcard;
fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
}
@ -1135,8 +1137,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
if ( $origdest eq '' || $origdest eq '-' ) {
$origdest = ALLIPv4;
} elsif ( $origdest eq 'detect' ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) {
my $interfacesref = $zones{$sourcezone}{interfaces};
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
} else {
@ -1146,7 +1148,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
} else {
if ( $action eq 'SAME' ) {
fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq $firewall_zone;
fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
$target = '-j SAME ';
for my $serv ( split /,/, $server ) {
$target .= "--to $serv ";
@ -1160,8 +1162,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
}
unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) {
my $interfacesref = $zones{$sourcezone}{interfaces};
if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
my $interfacesref = $sourceref->{interfaces};
my @interfaces = keys %$interfacesref;
$origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
} else {
@ -1173,7 +1175,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
#
# And generate the nat table rule(s)
#
expand_rule ( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ),
expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ),
PREROUTE_RESTRICT ,
$rule ,
$source ,
@ -1205,12 +1207,12 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$origdest = '' unless $origdest and $origdest ne '-';
if ( $origdest eq 'detect' ) {
my $interfacesref = $zones{$sourcezone}{interfaces};
my $interfacesref = $sourceref->{interfaces};
my $interfaces = "@$interfacesref";
$origdest = $interfaces ? "detect:$interfaces" : ALLIPv4;
}
expand_rule( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
PREROUTE_RESTRICT ,
$rule ,
$source ,
@ -1312,11 +1314,11 @@ sub process_rule ( $$$$$$$$$$ ) {
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
if ( $source eq 'all' ) {
for my $zone ( @zones ) {
if ( $includesrcfw || ( $zones{$zone}{type} ne 'firewall' ) ) {
for my $zone ( all_zones ) {
if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) {
if ( $dest eq 'all' ) {
for my $zone1 ( @zones ) {
if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) {
for my $zone1 ( all_zones ) {
if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) {
if ( $intrazone || ( $zone ne $zone1 ) ) {
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
}
@ -1324,7 +1326,7 @@ sub process_rule ( $$$$$$$$$$ ) {
}
} else {
my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
$destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
if ( $intrazone || ( $zone ne $destzone ) ) {
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
}
@ -1332,9 +1334,9 @@ sub process_rule ( $$$$$$$$$$ ) {
}
}
} elsif ( $dest eq 'all' ) {
for my $zone ( @zones ) {
for my $zone ( all_zones ) {
my $sourcezone = ( split( /:/, $source, 2 ) )[0];
if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
}
}
@ -1392,7 +1394,7 @@ sub process_rules() {
}
}
$comment = '';
clear_comment;
$section = 'DONE';
}
@ -1481,6 +1483,7 @@ sub generate_matrix() {
my $exclusion_seq = 1;
my %chain_exclusions;
my %policy_exclusions;
my @interfaces = ( all_interfaces );
for my $interface ( @interfaces ) {
addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface );
@ -1503,9 +1506,9 @@ sub generate_matrix() {
#
# Special processing for complex zones
#
for my $zone ( grep $zones{$_}{options}{complex} , @zones ) {
for my $zone ( complex_zones ) {
my $frwd_ref = new_standard_chain "${zone}_frwd";
my $zoneref = $zones{$zone};
my $zoneref = find_zone( $zone );
my $exclusions = $zoneref->{exclusions};
if ( @$exclusions ) {
@ -1549,11 +1552,11 @@ sub generate_matrix() {
#
# Main source-zone matrix-generation loop
#
for my $zone ( grep ( $zones{$_}{type} ne 'firewall' , @zones ) ) {
my $zoneref = $zones{$zone};
for my $zone ( non_firewall_zones ) {
my $zoneref = find_zone( $zone );
my $source_hosts_ref = $zoneref->{hosts};
my $chain1 = rules_target $firewall_zone , $zone;
my $chain2 = rules_target $zone, $firewall_zone;
my $chain1 = rules_target firewall_zone , $zone;
my $chain2 = rules_target $zone, firewall_zone;
my $chain3 = rules_target $zone, $zone;
my $complex = $zoneref->{options}{complex} || 0;
my $type = $zoneref->{type};
@ -1571,8 +1574,8 @@ sub generate_matrix() {
}
if ( $config{DYNAMIC_ZONES} ) {
push @rule_chains , [ $firewall_zone , $zone , $chain1 ] if $chain1;
push @rule_chains , [ $zone , $firewall_zone , $chain2 ];
push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
push @rule_chains , [ $zone , firewall_zone , $chain2 ];
}
#
@ -1623,7 +1626,7 @@ sub generate_matrix() {
if ( $capabilities{ADDRTYPE} ) {
add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
} else {
my $interfaceref = $interfaces{$interface};
my $interfaceref = find_interface( $interface );
my $chain = output_chain $interface;
my $chainref = $filter_table->{$chain};
@ -1654,8 +1657,8 @@ sub generate_matrix() {
my @temp_zones;
ZONE1:
for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones ) {
my $zone1ref = $zones{$zone1};
for my $zone1 ( non_firewall_zones ) {
my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE';
@ -1695,7 +1698,7 @@ sub generate_matrix() {
$last_chain = '';
}
} else {
@dest_zones = grep $zones{$_}{type} ne 'firewall' , @zones ;
@dest_zones = non_firewall_zones ;
}
#
# Here it is -- THE BIG UGLY!!!!!!!!!!!!
@ -1705,7 +1708,7 @@ sub generate_matrix() {
#
ZONE1:
for my $zone1 ( @dest_zones ) {
my $zone1ref = $zones{$zone1};
my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE';
@ -1841,11 +1844,12 @@ sub generate_matrix() {
for my $interface ( @interfaces ) {
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface;
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless $interfaces{$interface}{options}{port};
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
}
my $chainref = $filter_table->{"${firewall_zone}2${firewall_zone}"};
my $fw = firewall_zone;
my $chainref = $filter_table->{"${fw}2${fw}"};
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@ -1854,8 +1858,8 @@ sub generate_matrix() {
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
complete_standard_chain $filter_table->{INPUT} , 'all' , $firewall_zone;
complete_standard_chain $filter_table->{OUTPUT} , $firewall_zone , 'all';
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone;
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all';
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all';
if ( $config{LOGALLNEW} ) {
@ -1913,7 +1917,7 @@ sub setup_mss( ) {
}
for ( @$interfaces ) {
my $mss = $interfaces{$_}{options}{mss};
my $mss = get_interface_option( $_, 'mss' );
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
add_rule $chainref, "-o $_ -j RETURN" if $clampmss;

18
Shorewall-perl/Shorewall/Tc.pm
View File

@ -39,7 +39,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = 4.03;
our $VERSION = '4.04';
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
@ -150,7 +150,7 @@ our %tcdevices;
our @tcclasses;
our %tcclasses;
our $prefix = '1';
our $prefix;
#
# Initialize globals -- we take this novel approach to globals initialization to allow
@ -168,6 +168,11 @@ sub initialize() {
%tcdevices = ();
@tcclasses = ();
%tcclasses = ();
$prefix = '1';
}
INIT {
initialize;
}
sub process_tc_rule( $$$$$$$$$$ ) {
@ -185,13 +190,14 @@ sub process_tc_rule( $$$$$$$$$$ ) {
my $connmark = 0;
my $classid = 0;
my $device = '';
my $fw = firewall_zone;
if ( $source ) {
if ( $source eq $firewall_zone ) {
if ( $source eq $fw ) {
$chain = 'tcout';
$source = '';
} else {
$chain = 'tcout' if $source =~ s/^($firewall_zone)://;
$chain = 'tcout' if $source =~ s/^($fw)://;
}
}
@ -200,7 +206,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
if ( $tcsref ) {
if ( $chain eq 'tcout' ) {
fatal_error "Invalid chain designator for source $firewall_zone" unless $tcsref->{fw};
fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
}
$chain = $tcsref->{chain} if $tcsref->{chain};
@ -610,7 +616,7 @@ sub setup_tc() {
}
$comment = '';
clear_comment;
}
for ( @deferred_rules ) {

21
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -33,13 +33,15 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tunnels );
our @EXPORT_OK = ( );
our $VERSION = 4.00;
our $VERSION = '4.03';
#
# Here starts the tunnel stuff -- we really should get rid of this crap...
#
sub setup_tunnels() {
our $fw = firewall_zone;
sub setup_one_ipsec {
my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_;
@ -79,11 +81,10 @@ sub setup_tunnels() {
unless ( $gatewayzones eq '-' ) {
for my $zone ( split /,/, $gatewayzones ) {
fatal_error "Unknown zone ($zone)" unless $zones{$zone};
my $type = $zones{$zone}{type};
my $type = zone_type( $zone );
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
$inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
$inchainref = ensure_filter_chain "${zone}2${fw}", 1;
$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
unless ( $capabilities{POLICY_MATCH} ) {
add_rule $inchainref, "-p 50 $source -j ACCEPT";
@ -225,14 +226,12 @@ sub setup_tunnels() {
sub setup_one_tunnel($$$$) {
my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
fatal_error "Unknown zone ($zone)" unless $zones{$zone};
my $zonetype = $zones{$zone}{type};
my $zonetype = zone_type( $zone );
fatal_error "Invalid zone ($zone) for tunnel ZONE" if $zonetype eq 'firewall' || $zonetype eq 'bport4';
my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1;
my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
my $source = match_source_net $gateway;
my $dest = match_dest_net $gateway;
@ -286,7 +285,7 @@ sub setup_tunnels() {
}
}
$comment = '';
clear_comment;
}
1;

98
Shorewall-perl/Shorewall/Zones.pm
View File

@ -41,9 +41,19 @@ our @EXPORT = qw( NOTHING
determine_zones
zone_report
dump_zone_contents
find_zone
firewall_zone
defined_zone
zone_type
all_zones
complex_zones
non_firewall_zones
single_interface
validate_interfaces_file
all_interfaces
find_interface
known_interface
have_bridges
port_to_bridge
source_port_to_bridge
interface_is_optional
@ -51,16 +61,10 @@ our @EXPORT = qw( NOTHING
get_interface_option
validate_hosts_file
find_hosts_by_option
@zones
%zones
$firewall_zone
%interfaces
@interfaces
@bridges );
);
our @EXPORT_OK = qw( initialize );
our $VERSION = 4.03;
our $VERSION = '4.03';
#
# IPSEC Option types
@ -312,24 +316,24 @@ sub determine_zones()
fatal_error "No firewall zone defined" unless $firewall_zone;
my $pushed = 1;
my %ordered;
while ( $pushed )
PUSHED:
{
$pushed = 0;
ZONE:
for my $zone ( @z ) {
unless ( $ordered{$zone} ) {
for my $child ( @{$zones{$zone}{children}} ) {
next ZONE unless $ordered{$child};
for ( @{$zones{$zone}{children}} ) {
next ZONE unless $ordered{$_};
}
$ordered{$zone} = 1;
push @zones, $zone;
$pushed = 1;
redo PUSHED;
}
}
}
fatal_error "Internal error in determine_zones()" unless scalar @zones == scalar @z;
}
#
@ -504,6 +508,44 @@ sub add_group_to_zone($$$$$)
ipsec => $type eq 'ipsec4' ? 'ipsec' : 'none' };
}
#
# Verify that the passed zone name represents a declared zone. Return a
# reference to its zone table entry.
#
sub find_zone( $ ) {
my $zone = $_[0];
my $zoneref = $zones{$zone};
fatal_error "Unknown zone" unless $zoneref;
$zoneref;
}
sub zone_type( $ ) {
find_zone( $_[0] )->{type};
}
sub defined_zone( $ ) {
$zones{$_[0]};
}
sub all_zones() {
@zones;
}
sub non_firewall_zones() {
grep ( $zones{$_}{type} ne 'firewall' , @zones );
}
sub complex_zones() {
grep( $zones{$_}{options}{complex} , @zones );
}
sub firewall_zone() {
$firewall_zone;
}
#
# Return a list of networks routed out of the passed interface
#
@ -724,7 +766,7 @@ sub validate_interfaces_file( $ )
fatal_error "No routes found through 'detectnets' interface $interface" unless @networks || $options{optional};
delete $options{maclist} unless @networks;
} else {
@networks = @allipv4;
@networks = allipv4;
}
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
@ -782,6 +824,32 @@ sub known_interface($)
0;
}
#
# Return the interfaces list
#
sub all_interfaces() {
@interfaces;
}
#
# Return a reference to the interfaces table entry for an interface
#
sub find_interface( $ ) {
my $interface = $_[0];
my $interfaceref = $interfaces{ $interface };
fatal_error "Unknown Interface ($interface)" unless $interfaceref;
$interfaceref;
}
#
# Returns true if there are bridges defined in the config
#
sub have_bridges() {
@bridges > 0;
}
#
# Return the bridge associated with the passed interface. If the interface is not a bridge port,
# return ''

5
Shorewall-perl/buildports.pl
View File

@ -123,8 +123,11 @@ use warnings;
our @ISA = qw(Exporter);
our @EXPORT = qw( %protocols %services );
our @EXPORT_OK = qw();
our $VERSION = '1.00';
EOF
print "our \$VERSION = '$globals{VERSION}';\n";
print <<'EOF';
our %protocols = (
EOF

10
Shorewall-perl/compiler.pl
View File

@ -32,6 +32,7 @@
# --directory=<directory> # Directory where configuration resides (default is /etc/shorewall)
# --timestamp # Timestamp all progress messages
# --debug # Print stack trace on warnings and fatal error.
# --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
#
use strict;
use FindBin;
@ -40,7 +41,7 @@ use Shorewall::Compiler;
use Getopt::Long;
sub usage() {
print STDERR "usage: compiler.pl [ --export ] [ --directory=<directory> ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ <filename> ]\n";
print STDERR "usage: compiler.pl [ --export ] [ --directory=<directory> ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ --refresh=<chainlist> ] [ <filename> ]\n";
exit 1;
}
@ -52,6 +53,7 @@ my $shorewall_dir = '';
my $verbose = 0;
my $timestamp = '';
my $debug = 0;
my $chains = '';
Getopt::Long::Configure ('bundling');
@ -63,7 +65,9 @@ my $result = GetOptions('export' => \$export,
'v=i' => \$verbose,
'timestamp' => \$timestamp,
't' => \$timestamp,
'debug' => \$debug
'debug' => \$debug,
'r=s' => \$chains,
'refresh=s' => \$chains
);
usage unless $result && @ARGV < 2;
@ -74,4 +78,4 @@ $options |= EXPORT if $export;
$options |= TIMESTAMP if $timestamp;
$options |= DEBUG if $debug;
compiler $ARGV[0], $shorewall_dir, $verbose, $options;
compiler $ARGV[0], $shorewall_dir, $verbose, $options, $chains;

788
Shorewall-perl/diff-4.0-lib.base
View File

@ -1,788 +0,0 @@
--- ../Shorewall-common/lib.base 2007-07-22 06:29:50.000000000 -0700
+++ prog.header 2007-07-22 06:29:50.000000000 -0700
@@ -1,48 +1,27 @@
-#!/bin/sh
-#
-# Shorewall 4.0 -- /usr/share/shorewall/lib.base
-#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
#
-# Complete documentation is available at http://shorewall.net
+# Options are:
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# This library contains the code common to all Shorewall components.
-#
-# - It is copied into the compiled script with the -e compiler flag is specified to
-# shorewall-shell.
-# - It is loaded by /sbin/shorewall.
-# - It is loaded by /usr/share/shorewall/firewall.
-# - It is loaded by /usr/share/shorewall-shell/compiler.
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
-# and /usr/share/shorewall-lite/shorecap.
-# - It is released as part of Shorewall Perl where it is copied into the compiled script
-# by the compiler.
-#
-
-SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=30405
-
-[ -n "${VARDIR:=/var/lib/shorewall}" ]
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
-[ -n "${CONFDIR:=/etc/shorewall}" ]
-SHELLSHAREDIR=/usr/share/shorewall-shell
-PERLSHAREDIR=/usr/share/shorewall-perl
-
+# -n Don't alter Routing
+# -v and -q Standard Shorewall Verbosity control
+#
+# Commands are:
+#
+# start Starts the firewall
+# refresh Refresh the firewall
+# restart Restarts the firewall
+# reload Reload the firewall
+# clear Removes all firewall rules
+# stop Stops the firewall
+# status Displays firewall status
+# version Displays the version of Shorewall that
+# generated this program
+#
+################################################################################
+# Functions imported from /usr/share/shorewall/lib.base
+################################################################################
#
# Message to stderr
#
@@ -111,20 +90,6 @@
}
#
-# Undo the effect of 'separate_list()'
-#
-combine_list()
-{
- local f o=
-
- for f in $* ; do
- o="${o:+$o,}$f"
- done
-
- echo $o
-}
-
-#
# Suppress all output for a command
#
qt()
@@ -310,83 +275,6 @@
}
#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
-#
-# This function uses the lockfile utility from procmail if it exists.
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
-# behavior of lockfile.
-#
-mutex_on()
-{
- local try=0
- local lockf=${LOCKFILE:=${VARDIR}/lock}
-
- MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-
- if [ $MUTEX_TIMEOUT -gt 0 ]; then
-
- [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-
- if qt mywhich lockfile; then
- lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
- else
- while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
- sleep 1
- try=$((${try} + 1))
- done
-
- if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
- # Create the lockfile
- echo $$ > ${lockf}
- else
- echo "Giving up on lock file ${lockf}" >&2
- fi
- fi
- fi
-}
-
-#
-# Call this function to release mutual exclusion
-#
-mutex_off()
-{
- rm -f ${LOCKFILE:=${VARDIR}/lock}
-}
-
-#
-# Load an optional library
-#
-lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
-{
- local lib=${SHAREDIR}/lib.$1
- local loaded
-
- eval loaded=\$LIB_${1}_LOADED
-
- if [ -z "$loaded" ]; then
- [ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
-
- if [ -f $lib ]; then
- progress_message "Loading library $lib..."
- . $lib
- eval LIB_${1}_LOADED=Yes
- else
- startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed"
- fi
- fi
-}
-
-#
-# Determine if an optional library is available
-#
-lib_avail() # $1 = Name of the Library
-{
- [ -f ${SHAREDIR}/lib.$1 ]
-}
-
-#
# Note: The following set of IP address manipulation functions have anomalous
# behavior when the shell only supports 32-bit signed arithmetic and
# the IP address is 128.0.0.0 or 128.0.0.1.
@@ -395,32 +283,6 @@
LEFTSHIFT='<<'
#
-# Validate an IP address
-#
-valid_address() {
- local x y
- local ifs=$IFS
-
- IFS=.
-
- for x in $1; do
- case $x in
- [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
- [ $x -lt 256 ] || { IFS=$ifs; return 2; }
- ;;
- *)
- IFS=$ifs
- return 2
- ;;
- esac
- done
-
- IFS=$ifs
-
- return 0
-}
-
-#
# Convert an IP address in dot quad format to an integer
#
decodeaddr() {
@@ -456,88 +318,6 @@
}
#
-# Enumerate the members of an IP range -- When using a shell supporting only
-# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
-#
-# Comes in two flavors:
-#
-# ip_range() - produces a mimimal list of network/host addresses that spans
-# the range.
-#
-# ip_range_explicit() - explicitly enumerates the range.
-#
-ip_range() {
- local first last l x y z vlsm
-
- case $1 in
- !*)
- #
- # Let iptables complain if it's a range
- #
- echo $1
- return
- ;;
- [0-9]*.*.*.*-*.*.*.*)
- ;;
- *)
- echo $1
- return
- ;;
- esac
-
- first=$(decodeaddr ${1%-*})
- last=$(decodeaddr ${1#*-})
-
- if [ $first -gt $last ]; then
- fatal_error "Invalid IP address range: $1"
- fi
-
- l=$(( $last + 1 ))
-
- while [ $first -le $last ]; do
- vlsm=
- x=31
- y=2
- z=1
-
- while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
- vlsm=/$x
- x=$(( $x - 1 ))
- z=$y
- y=$(( $y * 2 ))
- done
-
- echo $(encodeaddr $first)$vlsm
- first=$(($first + $z))
- done
-}
-
-ip_range_explicit() {
- local first last
-
- case $1 in
- [0-9]*.*.*.*-*.*.*.*)
- ;;
- *)
- echo $1
- return
- ;;
- esac
-
- first=$(decodeaddr ${1%-*})
- last=$(decodeaddr ${1#*-})
-
- if [ $first -gt $last ]; then
- fatal_error "Invalid IP address range: $1"
- fi
-
- while [ $first -le $last ]; do
- echo $(encodeaddr $first)
- first=$(($first + 1))
- done
-}
-
-#
# Netmask from CIDR
#
ip_netmask() {
@@ -588,60 +368,6 @@
}
#
-# Netmask to VLSM
-#
-ip_vlsm() {
- local mask=$(decodeaddr $1)
- local vlsm=0
- local x=$(( 128 << 24 )) # 0x80000000
-
- while [ $(( $x & $mask )) -ne 0 ]; do
- [ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
- vlsm=$(($vlsm + 1))
- done
-
- if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
- echo "Invalid net mask: $1" >&2
- else
- echo $vlsm
- fi
-}
-
-
-#
-# Chain name base for an interface -- replace all periods with underscores in the passed name.
-# The result is echoed (less trailing "+").
-#
-chain_base() #$1 = interface
-{
- local c=${1%%+}
-
- while true; do
- case $c in
- @*)
- c=at_${c#@}
- ;;
- *.*)
- c="${c%.*}_${c##*.}"
- ;;
- *-*)
- c="${c%-*}_${c##*-}"
- ;;
- *%*)
- c="${c%\%*}_${c##*%}"
- ;;
- *@*)
- c="${c%@*}_${c##*@}"
- ;;
- *)
- echo ${c:=common}
- return
- ;;
- esac
- done
-}
-
-#
# Query NetFilter about the existence of a filter chain
#
chain_exists() # $1 = chain name
@@ -879,21 +605,6 @@
}
#
-# Set default config path
-#
-ensure_config_path() {
- local F=${SHAREDIR}/configpath
- if [ -z "$CONFIG_PATH" ]; then
- [ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
- . $F
- fi
-
- if [ -n "$SHOREWALL_DIR" ]; then
- [ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
- fi
-}
-
-#
# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
#
find_file()
@@ -918,54 +629,6 @@
}
#
-# Get fully-qualified name of file
-#
-resolve_file() # $1 = file name
-{
- local pwd=$PWD
-
- case $1 in
- /*)
- echo $1
- ;;
- .)
- echo $pwd
- ;;
- ./*)
- echo ${pwd}${1#.}
- ;;
- ..)
- cd ..
- echo $PWD
- cd $pwd
- ;;
- ../*)
- cd ..
- resolve_file ${1#../}
- cd $pwd
- ;;
- *)
- echo $pwd/$1
- ;;
- esac
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
- eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
- . $(find_file $(expand $@))
-}
-
-#
# Set the Shorewall state
#
set_state () # $1 = state
@@ -974,200 +637,6 @@
}
#
-# Determine which optional facilities are supported by iptables/netfilter
-#
-determine_capabilities() {
- qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
- qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
- CONNTRACK_MATCH=
- MULTIPORT=
- XMULTIPORT=
- POLICY_MATCH=
- PHYSDEV_MATCH=
- IPRANGE_MATCH=
- RECENT_MATCH=
- OWNER_MATCH=
- IPSET_MATCH=
- CONNMARK=
- XCONNMARK=
- CONNMARK_MATCH=
- XCONNMARK_MATCH=
- RAW_TABLE=
- IPP2P_MATCH=
- LENGTH_MATCH=
- CLASSIFY_TARGET=
- ENHANCED_REJECT=
- USEPKTTYPE=
- KLUDGEFREE=
- MARK=
- XMARK=
- MANGLE_FORWARD=
- COMMENTS=
- ADDRTYPE=
- TCPMSS_MATCH=
-
- qt $IPTABLES -N fooX1234
- qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
- qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
-
- if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
- PHYSDEV_MATCH=Yes
- fi
-
- if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
- IPRANGE_MATCH=Yes
- if [ -z "${KLUDGEFREE}" ]; then
- qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
- fi
- fi
-
- qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
- qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
-
- if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then
- CONNMARK_MATCH=Yes
- qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
- fi
-
- qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes
- qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
- qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
-
- qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
-
- if [ -n "$MANGLE_ENABLED" ]; then
- qt $IPTABLES -t mangle -N fooX1234
-
- if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
- MARK=Yes
- qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
- fi
-
- if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
- CONNMARK=Yes
- qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
- fi
-
- qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
- qt $IPTABLES -t mangle -F fooX1234
- qt $IPTABLES -t mangle -X fooX1234
- qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
- fi
-
- qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes
-
- if qt mywhich ipset; then
- qt ipset -X fooX1234 # Just in case something went wrong the last time
-
- if qt ipset -N fooX1234 iphash ; then
- if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
- qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
- IPSET_MATCH=Yes
- fi
- qt ipset -X fooX1234
- fi
- fi
-
- qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
- qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
- qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-
- qt $IPTABLES -F fooX1234
- qt $IPTABLES -X fooX1234
-
- CAPVERSION=$SHOREWALL_CAPVERSION
-}
-
-report_capabilities() {
- report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
- {
- local setting=
-
- [ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
-
- echo " " $1: $setting
- }
-
- if [ $VERBOSE -gt 1 ]; then
- echo "Shorewall has detected the following iptables/netfilter capabilities:"
- report_capability "NAT" $NAT_ENABLED
- report_capability "Packet Mangling" $MANGLE_ENABLED
- report_capability "Multi-port Match" $MULTIPORT
- [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
- report_capability "Connection Tracking Match" $CONNTRACK_MATCH
- report_capability "Packet Type Match" $USEPKTTYPE
- report_capability "Policy Match" $POLICY_MATCH
- report_capability "Physdev Match" $PHYSDEV_MATCH
- report_capability "Packet length Match" $LENGTH_MATCH
- report_capability "IP range Match" $IPRANGE_MATCH
- report_capability "Recent Match" $RECENT_MATCH
- report_capability "Owner Match" $OWNER_MATCH
- report_capability "Ipset Match" $IPSET_MATCH
- report_capability "CONNMARK Target" $CONNMARK
- [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
- report_capability "Connmark Match" $CONNMARK_MATCH
- [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
- report_capability "Raw Table" $RAW_TABLE
- report_capability "IPP2P Match" $IPP2P_MATCH
- report_capability "CLASSIFY Target" $CLASSIFY_TARGET
- report_capability "Extended REJECT" $ENHANCED_REJECT
- report_capability "Repeat match" $KLUDGEFREE
- report_capability "MARK Target" $MARK
- [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
- report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
- report_capability "Comments" $COMMENTS
- report_capability "Address Type Match" $ADDRTYPE
- report_capability "TCPMSS Match" $TCPMSS_MATCH
- fi
-
- [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
-}
-
-report_capabilities1() {
- report_capability1() # $1 = Capability
- {
- eval echo $1=\$$1
- }
-
- echo "#"
- echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
- echo "#"
- report_capability1 NAT_ENABLED
- report_capability1 MANGLE_ENABLED
- report_capability1 MULTIPORT
- report_capability1 XMULTIPORT
- report_capability1 CONNTRACK_MATCH
- report_capability1 USEPKTTYPE
- report_capability1 POLICY_MATCH
- report_capability1 PHYSDEV_MATCH
- report_capability1 LENGTH_MATCH
- report_capability1 IPRANGE_MATCH
- report_capability1 RECENT_MATCH
- report_capability1 OWNER_MATCH
- report_capability1 IPSET_MATCH
- report_capability1 CONNMARK
- report_capability1 XCONNMARK
- report_capability1 CONNMARK_MATCH
- report_capability1 XCONNMARK_MATCH
- report_capability1 RAW_TABLE
- report_capability1 IPP2P_MATCH
- report_capability1 CLASSIFY_TARGET
- report_capability1 ENHANCED_REJECT
- report_capability1 KLUDGEFREE
- report_capability1 MARK
- report_capability1 XMARK
- report_capability1 MANGLE_FORWARD
- report_capability1 COMMENTS
- report_capability1 ADDRTYPE
-
- echo CAPVERSION=$SHOREWALL_CAPVERSION
-}
-
-#
# Delete IP address
#
del_ip_addr() # $1 = address, $2 = interface
@@ -1286,82 +755,6 @@
cut -b -${1}
}
-#
-# Add a logging rule.
-#
-do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
-{
- local level=$1
- local chain=$2
- local displayChain=$3
- local disposition=$4
- local rulenum=
- local limit=
- local tag=
- local command=
- local prefix
- local base=$(chain_base $displayChain)
- local pf
-
- limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
- tag=${6:+$6 }
- command=${7:--A}
-
- shift 7
-
- if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
- displayChain=$tag
- tag=
- fi
-
- if [ -n "$LOGRULENUMBERS" ]; then
- #
- # Hack for broken printf on some lightweight shells
- #
- [ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf)
-
- eval rulenum=\$${base}_logrules
-
- rulenum=${rulenum:-1}
-
- prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"
-
- rulenum=$(($rulenum + 1))
- eval ${base}_logrules=$rulenum
- else
- prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
- fi
-
- if [ ${#prefix} -gt 29 ]; then
- prefix=`echo "$prefix" | truncate 29`
- error_message "WARNING: Log Prefix shortened to \"$prefix\""
- fi
-
- case $level in
- ULOG)
- $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
- ;;
- *)
- $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
- ;;
- esac
-
- if [ $? -ne 0 ] ; then
- [ -z "$STOPPING" ] && { stop_firewall; exit 2; }
- fi
-}
-
-do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
-{
- local level=$1
- local chain=$2
- local disposition=$3
-
- shift 3
-
- do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
-}
-
delete_tc1()
{
clear_one_tc() {
@@ -1496,65 +889,6 @@
echo echo
}
-
-# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
-#
-# None - No mktemp
-# BSD - BSD mktemp (Mandrake)
-# STD - mktemp.org mktemp
-#
-find_mktemp() {
- local mktemp=`mywhich mktemp 2> /dev/null`
-
- if [ -n "$mktemp" ]; then
- if qt mktemp -V ; then
- MKTEMP=STD
- else
- MKTEMP=BSD
- fi
- else
- MKTEMP=None
- fi
-}
-
-#
-# create a temporary file. If a directory name is passed, the file will be created in
-# that directory. Otherwise, it will be created in a temporary directory.
-#
-mktempfile() {
-
- [ -z "$MKTEMP" ] && find_mktemp
-
- if [ $# -gt 0 ]; then
- case "$MKTEMP" in
- BSD)
- mktemp $1/shorewall.XXXXXX
- ;;
- STD)
- mktemp -p $1 shorewall.XXXXXX
- ;;
- None)
- > $1/shorewall-$$ && echo $1/shorewall-$$
- ;;
- *)
- error_message "ERROR:Internal error in mktempfile"
- ;;
- esac
- else
- case "$MKTEMP" in
- BSD)
- mktemp /tmp/shorewall.XXXXXX
- ;;
- STD)
- mktemp -t shorewall.XXXXXX
- ;;
- None)
- rm -f /tmp/shorewall-$$
- > /tmp/shorewall-$$ && echo /tmp/shorewall-$$
- ;;
- *)
- error_message "ERROR:Internal error in mktempfile"
- ;;
- esac
- fi
-}
+################################################################################
+# End of functions imported from /usr/share/shorewall/lib.base
+################################################################################

2
Shorewall-perl/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.3
VERSION=4.0.4
usage() # $1 = exit status
{

6
Shorewall-perl/prog.functions
View File

@ -6,11 +6,9 @@ delete_proxyarp() {
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
interface=/proc/sys/net/ipv4/conf/$interface
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
done < ${VARDIR}/proxyarp
for f in /proc/sys/net/ipv4/conf/*; do
[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
done
fi
rm -f ${VARDIR}/proxyarp

15
Shorewall-perl/prog.header
View File

@ -636,6 +636,21 @@ set_state () # $1 = state
echo "$1 ($(date))" > ${VARDIR}/state
}
#
# Perform variable substitution on the passed argument and echo the result
#
expand() # $@ = contents of variable which may be the name of another variable
{
eval echo \"$@\"
}
#
# Function for including one file into another
#
INCLUDE() {
. $(find_file $(expand $@))
}
#
# Delete IP address
#

4
Shorewall-perl/shorewall-perl.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-perl
%define version 4.0.3
%define version 4.0.4
%define release 1
Summary: Shoreline Firewall Perl-based compiler.
@ -72,6 +72,8 @@ fi
%doc COPYING releasenotes.txt
%changelog
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net

2
Shorewall-shell/README.txt
View File

@ -1 +1 @@
This is the Shorewall-shell Development 4.1 branch of SVN.
This is the Shorewall-shell Stable 4.0 branch of SVN.

2
Shorewall-shell/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.0.3
VERSION=4.0.4
usage() # $1 = exit status
{

4
Shorewall-shell/shorewall-shell.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-shell
%define version 4.0.3
%define version 4.0.4
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -81,6 +81,8 @@ fi
%doc COPYING INSTALL
%changelog
* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
* Thu Aug 09 2007 Tom Eastep tom@shorewall.net