Shorewall 2.0.3 Beta 1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1396 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp2/etc/shorewall/shorewall.conf

@@ -258,6 +258,24 @@ MODULESDIR=
 # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
 
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+#
+# RESTORE SCRIPT
+#
+# This option determines the script to be run in the following cases:
+#
+#	shorewall -f start
+#	shorewall restore
+#	shorewall save
+#	shorewall forget
+#	Failure of shorewall start or shorewall restart
+#
+# The value of the option must be the name of an executable file in the
+# directory /var/lib/shorewall. If this option is not set or if it is
+# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
+# assumed.
+
+RESTOREFILE=
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################

Lrp2/sbin/shorewall

@@ -76,14 +76,17 @@
 #						   listed address(es)
 #	   shorewall allow <address> ...	   Reenable address(es) previously
 #						   disabled with "drop" or "reject"
-#	   shorewall save			   Save the list of "rejected" and
+#	   shorewall save [ <file> ]		   Save the list of "rejected" and
 #						   "dropped" addresses so that it will
 #						   be automatically reinstated the
 #						   next time that Shorewall starts.
 #                                                  Save the current state so that 'shorewall
 #                                                  restore' can be used.
 #
-#          shorewall forget                        Discard the data saved by 'shorewall save'
+#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
+#
+#          shorewall restore [ <file> ]            Restore the state of the firewall from
+#                                                  previously saved information.
 #
 #          shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
 #
@@ -131,6 +134,19 @@ showchain() # $1 = name of chain
     fi
 }
 
+#
+# Validate the value of RESTOREFILE
+#
+validate_restorefile() # $* = label
+{
+    case $RESTOREFILE in
+	*/*)
+	    echo "   ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
+	    exit 2
+	    ;;
+    esac    
+}
+
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -160,11 +176,17 @@ get_config() {
 
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -e "$SHOREWALL_SHELL" ]; then
-	    echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
+	    echo "   ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
 	    exit 2
 	fi
     fi
 
+    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
+
+    validate_restorefile RESTOREFILE
+
+    export RESTOREFILE
+
 }
 
 #
@@ -535,7 +557,7 @@ help()
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host>] <zone>"
     echo "   allow <address> ..."
@@ -543,7 +565,7 @@ usage() # $1 = exit status
     echo "   clear"
     echo "   delete <interface>[:<host>] <zone>"
     echo "   drop <address> ..."
-    echo "   forget"
+    echo "   forget [ <file name> ]"
     echo "   help [ <command > | host | address ]"
     echo "   hits"
     echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@@ -554,8 +576,8 @@ usage() # $1 = exit status
     echo "   reject <address> ..."
     echo "   reset"
     echo "   restart"
-    echo "   restore"
-    echo "   save"
+    echo "   restore [ <file name> ]"
+    echo "   save [ <file name> ]"
     echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
     echo "   start"
     echo "   stop"
@@ -735,11 +757,14 @@ case "$1" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	if [ -n "$FAST" ]; then
-	    if [ -f /var/lib/shorewall/restore ]; then
+	    
+	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
+
+	    if [ -x $RESTOREPATH ]; then
 		echo Restoring Shorewall...
-		. /var/lib/shorewall/restore
+		$RESTOREPATH
 		date > $STATEDIR/restarted
-		echo Shorewall restored
+		echo Shorewall restored from $RESTOREPATH
 	    else
 		exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
 	    fi
@@ -963,28 +988,57 @@ case "$1" in
 	;;
     save)
     	[ -n "$debugging" ] && set -x
-	[ $# -ne 1 ] && usage 1
+
+	get_config
+
+	case $# in
+	1)
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    validate_restorefile '<restore file>'
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
+	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
+
 	mutex_on
 
 	if qt iptables -L shorewall -n; then
-	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
+	    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 
-	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
-		echo "   Dynamic Rules Saved"
-		if [ -f /var/lib/shorewall/restore-base ]; then
-		    cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
-		    if iptables-save >> /var/lib/shorewall/restore-$$ ; then
-			echo EOF >> /var/lib/shorewall/restore-$$
-			mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
-			chmod +x /var/lib/shorewall/restore
-			echo "   Currently-running Configuration Saved"
-                    else
-			rm -f /var/lib/shorewall/restore-$$
-			echo "   ERROR: Currently-running Configuration Not Saved"
-		    fi
-		fi
+	    if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
+		echo "   ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
 	    else
-		echo "Error Saving the Dynamic Rules"
+		case $RESTOREFILE in
+		    save|restore-base)
+			echo "   ERROR: Reserved file name: save"
+			;;
+		    *)
+			if iptables -L dynamic -n > /var/lib/shorewall/save; then
+			    echo "   Dynamic Rules Saved"
+			    if [ -f /var/lib/shorewall/restore-base ]; then
+				cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
+				if iptables-save >> /var/lib/shorewall/restore-$$ ; then
+				    echo __EOF__ >> /var/lib/shorewall/restore-$$
+				    mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
+				    chmod +x $RESTOREPATH
+				    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+				else
+				    rm -f /var/lib/shorewall/restore-$$
+				    echo "   ERROR: Currently-running Configuration Not Saved"
+				fi
+			    else
+				echo "   ERROR: /var/lib/shorewall/restore-base does not exist"
+			    fi
+			else
+			    echo "Error Saving the Dynamic Rules"
+			fi
+			;;
+		esac
 	    fi
 	else
 	    echo "Shorewall isn't started"
@@ -992,9 +1046,28 @@ case "$1" in
 	mutex_off
 	;;
     forget)
-	rm -f /var/lib/shorewall/restore
-	rm -f /var/lib/shorewall/save
-	echo "   Previously saved information discarded"
+	get_config
+	case $# in
+	1)
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    validate_restorefile '<restore file>'
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
+
+	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
+
+	if [ -x $RESTOREPATH ]; then
+	    rm -f $RESTOREPATH
+	    echo "    $RESTOREPATH removed"
+	elif [ -f $RESTOREPATH ]; then
+	    echo "   ERROR: $RESTOREPATH is not a restore script"
+	fi
 	;;
     ipcalc)
     	[ -n "$debugging" ] && set -x
@@ -1032,12 +1105,26 @@ case "$1" in
 	esac
 	;;
     restore)
-	if [ -f /var/lib/shorewall/restore ]; then
+	get_config
+	case $# in
+	1)
+	    ;;
+	2)
+	    RESTOREFILE="$2"
+	    validate_restorefile '<restore file>'
+	    ;;
+	*)
+	    usage 1
+	    ;;
+	esac
+
+	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
+
+	if [ -x $RESTOREPATH ]; then
 	    echo Restoring Shorewall...
-	    . /var/lib/shorewall/restore
-            echo Shorewall restored
+	    $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
 	else
-	    echo "File /var/lib/shorewall/restore: file not found"
+	    echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
             exit 2
         fi
         ;;

Lrp2/usr/share/shorewall/action.Drop

@@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 DropSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Lrp2/usr/share/shorewall/action.Reject

@@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 RejectSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Lrp2/usr/share/shorewall/actions.std

@@ -6,6 +6,13 @@
 #
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
+#    rejNonSyn          #Silently Reject Non-syn TCP packets
+#    logNonSyn          #Log Non-syn TCP packets with disposition LOG
+#    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
+#    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#
+# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
+# shorewall.conf. If that option isn't specified then 'info' is used.
 #
 #ACTION
 

Lrp2/usr/share/shorewall/firewall

@@ -51,11 +51,6 @@ my_mutex_off() {
     [ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
 }
 
-progress_message() # $* = Message
-{
-    [ -n "$QUIET" ] || echo "$@"
-}
-
 #
 # Message to stderr
 #
@@ -108,6 +103,17 @@ save_command()
     echo "$@" >> /var/lib/shorewall/restore-$$
 }
 
+#
+# Write a progress_message command to /var/lib/shorewall/restore-$$
+#
+save_progress_message() 
+{
+    
+    echo                           >> /var/lib/shorewall/restore-$$
+    echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
+    echo                           >> /var/lib/shorewall/restore-$$
+}
+
 #
 # Save the passed command in the restore script then run it -- returns the status of the command
 # If the command involves file redirection then it must be enclosed in quotes as in:
@@ -133,12 +139,13 @@ ensure_and_save_command()
 }
     
 #
-# Append a file to /var/lib/shorewall/restore-$$
+# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
 #
-append_file() {
-    save_command "cat > $STATEDIR/$1 << EOF"
+append_file() # $1 = File Name
+{
+    save_command "cat > $STATEDIR/$1 << __EOF__"
     cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
-    save_command EOF
+    save_command __EOF__
 }
 
 #
@@ -576,7 +583,7 @@ known_interface() # $1 = interface name
 match_source_dev()
 {
     if [ -n "$BRIDGING" ]; then
-	known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1"
+	list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
     else
 	echo -i $1
     fi
@@ -585,12 +592,17 @@ match_source_dev()
 match_dest_dev()
 {
     if [ -n "$BRIDGING" ]; then
-	known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1"
+	list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
     else
 	echo -o $1
     fi
 }
 
+verify_interface()
+{
+    known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
+}
+
 #
 #
 # Find hosts in a given zone
@@ -765,7 +777,7 @@ validate_interfaces_file() {
 		    if [ -z "$found_obsolete_option" ]; then
 			found_obsolete_option=yes
 			error_message \
-			    "Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
+			    "WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
 			error_message \
 			    "         PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
 			sleep 5
@@ -798,6 +810,13 @@ validate_interfaces_file() {
 validate_hosts_file() {
    local z hosts options r interface host option port ports
 
+   check_bridge_port() 
+   {
+       list_search $1 $ports || ports="$ports $1"
+       list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
+       list_search $1 $all_ports || all_ports="$all_ports $1"
+   }
+
     while read z hosts options; do
 	expandv z hosts options
 	r="$z $hosts $options"
@@ -820,17 +839,14 @@ validate_hosts_file() {
 		*:*)
 		    known_interface ${host%:*} && \
 			startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
-		    port=${host%%:*}
-		    list_search $port $ports || ports="$ports $port"
-		    list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
+		    check_bridge_port ${host%%:*}
 		    ;;
 		*.*.*.*)
 		    ;;
 		*)
 		    known_interface $host && \
 			startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
-		    list_search $host $ports || ports="$ports $host"
-		    list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
+		    check_bridge_port $host
 		    ;;
 	    esac
 
@@ -855,6 +871,8 @@ validate_hosts_file() {
 	fi
 
     done < $TMP_DIR/hosts
+
+    [ -n "$all_ports" ] && echo "   Bridge ports are: $all_ports"
 }
 
 #
@@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
 #
 setup_forwarding() {
+
+    save_progress_message "Restoring IP Forwarding..."
+
     case "$IP_FORWARDING" in
     [Oo][Nn])
 	run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@@ -1198,6 +1219,7 @@ disable_ipv6() {
 
     if [ -n "$foo" ]; then
 	if qt which ip6tables; then
+	    save_progress_message "Disabling IPV6..."
 	    ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
 	    ip6tables -P INPUT DROP   && save_command ip6tables -P INPUT DROP
 	    ip6tables -P OUTPUT DROP  && save_command ip6tables -P OUTPUT DROP
@@ -1226,10 +1248,15 @@ stop_firewall() {
 	    ;;
 	*)
 	    set +x
-	    if [ -f /var/lib/shorewall/restore ]; then
+
+	    [ -z "$RESTOREFILE" ] && RESTOREFILE=restore
+
+	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
+	    
+	    if [ -x $RESTOREPATH ]; then
 		echo Restoring Shorewall...
-		. /var/lib/shorewall/restore
-		echo Shorewall restored
+		$RESTOREPATH
+		echo "Shorewall restored from $RESTOREPATH"
 		my_mutex_off
 		kill $$
 		exit 2
@@ -1640,6 +1667,8 @@ setup_proxy_arp() {
 
     > ${STATEDIR}/proxyarp
 
+    save_progress_message "Restoring Proxy ARP..."
+
     while read address interface external haveroute persistent; do
 	expandv address interface external haveroute persistent
 	setup_one_proxy_arp
@@ -1840,6 +1869,8 @@ setup_nat() {
     #
     > ${STATEDIR}/nat
 
+    save_progress_message "Restoring one-to-one NAT..."
+
     while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
 
@@ -1995,10 +2026,8 @@ process_tc_rule()
 		    chain=tcout
 		    ;;
 		*)
-		    if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
-			fatal_error "Unknown interface $source in rule \"$rule\""
-		    fi
-
+		    
+		    verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
 		    r="$(match_source_dev) $source "
 		    ;;
 	    esac
@@ -2023,7 +2052,11 @@ process_tc_rule()
 	    esac
 	fi
 
-	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
+	if [ "x$dest" != "x-"  ]; then
+	    verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
+	    r="${r}$(match_dest_dev $dest) "
+	fi
+
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
 	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "
@@ -2095,6 +2128,8 @@ setup_tc1() {
     run_iptables -t mangle -A OUTPUT     -j tcout
 
     run_user_exit tcstart
+
+    save_progress_message "Restoring Traffic Control..."
     save_command . $(find_file tcstart)
 
 }
@@ -2118,6 +2153,8 @@ delete_tc()
 
     }
 
+    save_progress_message "Clearing Traffic Control/QOS"
+
     run_user_exit tcclear
 
     run_ip link list | \
@@ -2144,6 +2181,14 @@ process_accounting_rule() {
 	error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
     }
 
+    accounting_interface_error() {
+	error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
+    }
+
+    accounting_interface_verify() {
+	verify_interface $1 || accounting_interface_error $1
+    }
+
     jump_to_chain() {
 	if ! havechain $jumpchain; then
 	    if ! createchain2 $jumpchain No; then
@@ -2157,6 +2202,7 @@ process_accounting_rule() {
 
     case $source in
 	*:*)
+	    accounting_interface_verify ${source%:*}
 	    rule="-s ${source#*:} $(match_source_dev ${source%:*})"
 	    ;;
 	*.*.*.*)
@@ -2165,12 +2211,16 @@ process_accounting_rule() {
 	-|all|any)
 	    ;;
 	*)
-	    [ -n "$source" ] && rule="$(match_source_dev $source)"
+	    if [ -n "$source" ]; then
+		accounting_interface_verify $source
+		rule="$(match_source_dev $source)"
+	    fi
 	    ;;
     esac
 
     [ -n "$dest" ] && case $dest in
 	*:*)
+	    accounting_interface_verify ${dest%:*}
 	    rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
 	    ;;
 	*.*.*.*)
@@ -2179,6 +2229,7 @@ process_accounting_rule() {
 	-|all|any)
 	    ;;
 	*)
+	    accounting_interface_verify $dest
 	    rule="$rule $(match_dest_dev $dest)"
 	    ;;
     esac
@@ -2233,8 +2284,8 @@ process_accounting_rule() {
 		
     ensurechain1 $chain
 
-    if iptables -A $chain $rule ; then
-	[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
+    if iptables -A $chain $(fix_bang $rule) ; then
+	[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
 	progress_message "   Accounting rule" $action $chain $source $dest $proto $port $sport Added
     else
 	accounting_error
@@ -2409,6 +2460,16 @@ add_an_action()
 	fi
     }
 
+    interface_error()
+    {
+	fatal_error "Unknown interface $1 in rule: \"$rule\""
+    }
+
+    action_interface_verify()
+    {
+	verify_interface $1 || interface_error $1
+    }
+
     # Set source variables. The 'cli' variable will hold the client match predicate(s).
 
     cli=
@@ -2417,6 +2478,7 @@ add_an_action()
     -)
 	;;
     *:*)
+	action_interface_verify ${client%:*}
 	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
 	;;
     *.*.*)
@@ -2426,7 +2488,10 @@ add_an_action()
 	cli=$(mac_match $client)
 	;;
     *)
-	[ -n "$client" ] && cli="$(match_source_dev $client)"
+	if [ -n "$client" ]; then
+	    action_interface_verify $client
+	    cli="$(match_source_dev $client)"
+	fi
 	;;
     esac
 
@@ -2445,7 +2510,10 @@ add_an_action()
 	fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 	;;
     *)
-	[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
+	if [ -n "$server" ]; then
+	    action_interface_verify $server
+	    dest_interface="$(match_dest_dev $server)"
+	fi
 	;;
     esac
 
@@ -2496,9 +2564,8 @@ add_an_action()
 			    $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
 		    fi
 		    
-		    [ "$logtarget" = LOG ] || \
-			run_iptables2 -A $action $proto $multiport $cli $sports \
-			    -d $srv $dports $ratelimit $userandgroup -j $target
+		    run_iptables2 -A $action $proto $multiport $cli $sports \
+			-d $srv $dports $ratelimit $userandgroup -j $target
 		done
 	    done
 	else
@@ -2507,9 +2574,8 @@ add_an_action()
 		    $(fix_bang $proto $sports $multiport $cli $dports)
 	    fi
 		    
-	    [ "$logtarget" = LOG ] || \
-		run_iptables2 -A $action $proto $multiport $cli $sports \
-		    $dports $ratelimit $userandgroup -j $target
+	    run_iptables2 -A $action $proto $multiport $cli $sports \
+		$dports $ratelimit $userandgroup -j $target
 	fi
     fi
 }
@@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name
 #
 
 process_actions1() {
-    #
-    # Add the builtin actions
-    #
-    add_builtin_actions() {
 	
-	if [ "$COMMAND" != check ]; then
-	    createchain dropBcast no
-	    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
-	    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
-                #
-                # No pkttype support -- do it the hard way
-                #
-		for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
-		    run_iptables -A dropBcast -d $address -j DROP
-		done
-	    fi
-
-	    createchain dropNonSyn no
-	    run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
-	fi
-
-	ACTIONS="dropBcast dropNonSyn"
-	USEDACTIONS="dropBcast dropNonSyn"
-	
-    }
-	
-    add_builtin_actions
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
+    USEDACTIONS=
 
     strip_file actions
 
@@ -2821,6 +2863,10 @@ process_actions2() {
 	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
 
     }
+
+    log_action() {
+	[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
+    }
     #
     # Generate the transitive closure of $USEDACTIONS
     #
@@ -2844,7 +2890,38 @@ process_actions2() {
     #
     for xaction in $USEDACTIONS; do
 	case $xaction in
-	    dropNonSyn|dropBcast)
+	    dropBcast)
+		if [ "$COMMAND" != check ]; then
+		    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
+		    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
+                        #
+                        # No pkttype support -- do it the hard way
+                        #
+			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			    run_iptables -A dropBcast -d $address -j DROP
+			done
+		    fi
+		fi
+		;;		
+	    dropNonSyn)
+		error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
+		[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
+		;;
+
+	    dropNotSyn)
+		[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
+		;;
+	    rejNotSyn)
+		[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
+		;;
+	    logNotSyn)
+		log_action logNotSyn LOG
+		;;
+	    rLogNotSyn)
+		log_action rLogNotSyn REJECT
+		;;
+	    dLogNotSyn)
+		log_action dLogNotSyn DROP		
 		;;
 	    *)
 		f=action.$xaction
@@ -3091,6 +3168,16 @@ add_a_rule()
 	fi
     }
 
+    interface_error()
+    {
+	fatal_error "Unknown interface $1 in rule: \"$rule\""
+    }
+
+    rule_interface_verify()
+    {
+	verify_interface $1 || interface_error $1
+    }
+
     # Set source variables. The 'cli' variable will hold the client match predicate(s).
 
     cli=
@@ -3099,6 +3186,7 @@ add_a_rule()
     -)
 	;;
     *:*)
+	rule_interface_verify ${client%:*}
 	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
 	;;
     *.*.*)
@@ -3108,7 +3196,10 @@ add_a_rule()
 	cli=$(mac_match $client)
 	;;
     *)
-	[ -n "$client" ] && cli="$(match_source_dev $client)"
+	if [ -n "$client" ]; then
+	    rule_interface_verify $client
+	    cli="$(match_source_dev $client)"
+	fi
 	;;
     esac
 
@@ -3128,7 +3219,8 @@ add_a_rule()
 	;;
     *)
 	if [ -n "$server" ]; then
-	    [ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget"
+	    [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
+	    rule_interface_verify $server
 	    dest_interface="$(match_dest_dev $server)"
 	fi
 	;;
@@ -3708,6 +3800,11 @@ process_tos_rule() {
 	    #
 	    # Assume that this is a device name
 	    #
+	    if ! verify_interface $src ; then
+		error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
+		return
+	    fi
+
 	    src="$(match_source_dev $src)"
 	    ;;
     esac
@@ -4285,7 +4382,7 @@ setup_masq()
 
     strip_file masq $1
 
-    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:"
+    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
 
     while read fullinterface networks addresses proto ports; do
 	expandv fullinterface networks addresses proto ports
@@ -4507,6 +4604,8 @@ add_ip_aliases()
 
     set -- $aliases_to_add
 
+    save_progress_message "Restoring IP Addresses..."
+
     while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
@@ -4529,7 +4628,7 @@ add_ip_aliases()
 #
 load_kernel_modules()
 {
-    local save_modules_dir=$MODULESDIR
+    save_modules_dir=$MODULESDIR
 
     [ -z "$MODULESDIR" ] && \
 	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
@@ -4537,7 +4636,7 @@ load_kernel_modules()
     modules=$(find_file modules)
 
     if [ -f $modules -a -d $MODULESDIR ]; then
-	echo "Loading Modules..."
+ 	progress_message "Loading Modules..."
 	. $modules
     fi
 
@@ -4547,12 +4646,10 @@ load_kernel_modules()
 save_load_kernel_modules()
 {
 
-    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-
     modules=$(find_file modules)
 
-    save_command "reload_kernel_modules <<EOF"
+    save_progress_message "Loading kernel modules..."
+    save_command "reload_kernel_modules <<__EOF__"
 
     while read command; do
 	case "$command" in
@@ -4562,7 +4659,7 @@ save_load_kernel_modules()
 	esac
     done < $modules
     
-    save_command EOF
+    save_command __EOF__
 
 }
 
@@ -4721,7 +4818,7 @@ initialize_netfilter () {
 	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
 	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
 	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -j RETURN
+	    run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
 	done
 
 	run_user_exit newnotsyn
@@ -5028,6 +5125,8 @@ add_common_rules() {
     #
     # ARP Filtering
     #
+    save_progress_message "Restoring ARP filtering..."
+
     for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
 	run_and_save_command "echo 0 > $f"
     done
@@ -5055,6 +5154,8 @@ add_common_rules() {
     if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
 	echo "Setting up Kernel Route Filtering..."
 
+	save_progress_message "Restoring Route Filtering..."
+
 	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 	    run_and_save_command "echo 0 > $f"
 	done
@@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart)
     [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 
     echo '#bin/sh' > /var/lib/shorewall/restore-$$
-    echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
+    save_command "#"
+    save_command "# Restore base file generated by Shorewall $version - $(date)"
+    save_command "#"
+    save_command ". /usr/share/shorewall/functions"
 
     save_command "MODULESDIR=\"$MODULESDIR\""
     save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
@@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart)
     
     save_command "date > $STATEDIR/restarted"
 
-    save_command 'iptables-restore << EOF'
+    save_progress_message "Restoring Netfilter Configuration..."
 
-    # 'shorewall save' appends the iptables-save output and 'EOF'
+    save_command 'iptables-restore << __EOF__'
+
+    # 'shorewall save' appends the iptables-save output and '__EOF__'
 
     mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base
 
@@ -5948,16 +6054,16 @@ do_initialize() {
     ensure_config_path
     #
     # Determine the capabilities of the installed iptables/netfilter
-    # We load the kernel modules so that capabilities can be 
-    # accurately detected when kernel module autoloading is not
-    # enabled.
+    # We load the kernel modules here to acurately determine 
+    # capabilities when module autoloading isn't enabled.
     #
+
     [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
     load_kernel_modules
     determine_capabilities
 
     [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
-
+   
     [ -d $STATEDIR ] || mkdir -p $STATEDIR
 
     [ -z "$FW" ] && FW=fw

Lrp2/usr/share/shorewall/functions

@@ -33,6 +33,14 @@ list_count() {
     list_count1 $(separate_list $1)
 }
 
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    [ -n "$QUIET" ] || echo "$@"
+}
+
 #
 # Suppress all output for a command
 #

Lrp2/usr/share/shorewall/help

@@ -117,9 +117,9 @@ drop)
 	;;
 
 forget)
-	echo "forget: forget
-    Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
-    files are created by the 'shorewall save' command
+	echo "forget: forget [ <file name> ]
+    Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
+    the file specified by RESTOREFILE in shorewall.conf is removed.
 
     See also \"help save\""
 	;;
@@ -194,18 +194,22 @@ restart)
 	;;
 
 restore)
-	echo "restore: restore
-    Restore Shorewall to its last state saved using the 'save' command
-    Existing connections are maintained.
+	echo "restore: restore [ <file name> ]
+    Restore Shorewall to a state saved using the 'save' command
+    Existing connections are maintained. The <file name> names a restore file in 
+    /var/lib/shorewall created using "shorewall save"; if no <file name> is given 
+    then Shorewall will be restored from the file specified by the RESTOREFILE
+    option in shorewall.conf.
 
     See also \"help save\" and \"help forget\""
 	;;
 
 save)
-	echo "save: save
+	echo "save: save [ <file name> ]
     The dynamic data is stored in /var/lib/shorewall/save. The state of the 
-    firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
-    and 'shorewall -f start' commands.
+    firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
+    and 'shorewall -f start' commands. If <file name> is not given then the state is saved
+    in the file specified by the RESTOREFILE option in shorewall.conf.
 
     Shorewall allow, drop, rejct and save implement dynamic blacklisting.
 
@@ -240,8 +244,9 @@ start)
     Start shorewall.  Existing connections through shorewall managed
     interfaces are untouched.  New connections will be allowed only
     if they are allowed by the firewall rules or policies.
-    If \"-q\" is specified, less detain is displayed making it easier to spot warnings
-    If \"-f\" is specified, the last saved configuraton if any will be restored"
+    If \"-q\" is specified, less detail is displayed making it easier to spot warnings
+    If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
+    in shorewall.conf will be restored if that saved configuration exists"
 	;;
 
 stop)

Lrp2/usr/share/shorewall/version

@@ -1 +1 @@
-2.0.2f
+2.0.3-Beta1