From 6b28b0903714948c7dac787cbf27ffa4c3b3e086 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 24 Oct 2004 21:23:15 +0000 Subject: [PATCH] Shorewall 2.2.0 Beta 1 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1714 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/etc/shorewall/accounting | 7 +- LrpN/etc/shorewall/ipsec | 6 +- LrpN/etc/shorewall/shorewall.conf | 12 ++ LrpN/etc/shorewall/tcrules | 58 ++++++- LrpN/usr/share/shorewall/firewall | 264 +++++++++++++++++++++++------- LrpN/usr/share/shorewall/version | 2 +- 6 files changed, 283 insertions(+), 66 deletions(-) diff --git a/LrpN/etc/shorewall/accounting b/LrpN/etc/shorewall/accounting index 499dbf24d..aa44a3d2a 100644 --- a/LrpN/etc/shorewall/accounting +++ b/LrpN/etc/shorewall/accounting @@ -47,9 +47,12 @@ # Format the same as the SOURCE column. # # PROTOCOL A protocol name (from /etc/protocols), a protocol -# number. +# number, or "ipp2p" # -# DEST PORT Destination Port number +# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then +# this column must contain an ipp2p option ("iptables -m +# ipp2p --help") without the leading "--". If no option +# is given in this column, "ipp2p" is assumed. # # Service name from /etc/services or port number. May # only be specified if the protocol is TCP or UDP (6 diff --git a/LrpN/etc/shorewall/ipsec b/LrpN/etc/shorewall/ipsec index 5474ad718..d3b352a3f 100644 --- a/LrpN/etc/shorewall/ipsec +++ b/LrpN/etc/shorewall/ipsec @@ -24,7 +24,9 @@ # spi= where is the SPI of # the SA used to encrypt/decrypt packets. # -# proto=ah|esp|ipcomp +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) # # mode=transport|tunnel # @@ -49,7 +51,7 @@ # # If you wish to leave a column empty but need to make an entry # in a following column, use "-". -################################################################################ +################################################################################### #ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/etc/shorewall/shorewall.conf b/LrpN/etc/shorewall/shorewall.conf index 2754264ed..91b2f06a3 100755 --- a/LrpN/etc/shorewall/shorewall.conf +++ b/LrpN/etc/shorewall/shorewall.conf @@ -130,6 +130,18 @@ LOGTAGONLY=No LOGRATE= LOGBURST= +# +# LOG ALL NEW +# +# This option should only be used when you are trying to analyze a problem. +# It causes all packets in the Netfilter NEW state to be logged as the +# first rule in each builtin chain. To use this option, set LOGALLNEW to +# the log level that you want these packets logged at (e.g., +# LOGALLNEW=debug). +# + +LOGALLNEW= + # # BLACKLIST LOG LEVEL # diff --git a/LrpN/etc/shorewall/tcrules b/LrpN/etc/shorewall/tcrules index 99a60ba0f..7d676f6f3 100644 --- a/LrpN/etc/shorewall/tcrules +++ b/LrpN/etc/shorewall/tcrules @@ -29,6 +29,22 @@ # determined by the setting of MARK_IN_FORWARD_CHAIN in # /etc/shorewall/shorewall.conf. # +# If your kernel and iptables include CONNMARK support +# then you can also mark the connection rather than +# the packet. +# +# The mark value may be optionally followed by "/" +# and a mask value (used to determine those bits of +# the connection mark to actually be set). The +# mark and optional mask are then followed by one of: +# +# C - Mark the connection in the chain determined +# by the setting of MARK_IN_FORWARD_CHAIN +# +# CF: Mark the conneciton in the FORWARD chain +# +# CP: Mark the connection in the PREROUTING chain. +# # b) A classification of the form : where # and are integers. Corresponds to # the 'class' specification in these traffic shaping @@ -41,7 +57,21 @@ # - htb # - prio # -# Marking always occurs in the POSTROUTING chain. +# Classify always occurs in the POSTROUTING chain. +# +# c) RESTORE[/mask] -- restore the packet's mark from the +# connection's mark using the supplied mask if any. +# Your kernel and iptables must include CONNMARK support. +# As in a) above, may be followed by ":P" or ":F +# +# c) SAVE[/mask] -- save the packet's mark to the +# connection's mark using the supplied mask if any. +# Your kernel and iptables must include CONNMARK support. +# As in a) above, may be followed by ":P" or ":F +# +# d) CONTINUE -- don't process any more marking rules in +# the table. As in a) above, may be followed by ":P" or +# ":F". # # SOURCE Source of the packet. A comma-separated list of # interface names, IP addresses, MAC addresses @@ -62,14 +92,20 @@ # iptables include iprange match support, IP address # ranges are also allowed. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, -# or "all". +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# a number, or "all". "ipp2p" requires ipp2p match +# support in your kernel and iptables. # # PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example "bit" +# for bit-torrent). If no PORT is given, "ipp2p" is +# assumed. +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following field is supplied. # In that case, it is suggested that this field contain @@ -92,9 +128,21 @@ # []:[] # # The colon is optionnal when specifying only a user. -# Examples : john: / john / :users / john:users +# Examples : john: / john / :users / john:users # +# TEST Defines a test on the existing packet or connection mark. +# The rule will match only if the test returns true. Tests +# have the format [!][/][:C] +# +# Where: +# +# ! Inverts the test (not equal) +# Value of the packet or connection mark. +# A mask to be applied to the mark before +# testing +# :C Designates a connection mark. If omitted, +# the packet mark's value is tested. ############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT USER +#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index 36bef0c20..101970b82 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -765,6 +765,17 @@ find_hosts() # $1 = host zone done < $TMP_DIR/hosts } +# +# Check for duplicate zone definitions +# +check_duplicate_zones() { + local localzones= + + for zone in $zones; do + list_search $zone $localzones && startup_error "Zone $zone is defined more than once" + localzones="$localzones $zone" + done +} # # Determine the interfaces on the firewall # @@ -1241,7 +1252,7 @@ run_user_exit() # $1 = file name # # Add a logging rule. # -log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $... = predicates for the rule +log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule { local level=$1 local chain=$2 @@ -1250,10 +1261,11 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi local rulenum= local limit="${5:-$LOGLIMIT}" local tag=${6:+$6 } + local command=${7:--A} local prefix local base=$(chain_base $displayChain) - shift;shift;shift;shift;shift + shift;shift;shift;shift;shift;shift;shift if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then displayChain=$tag @@ -1280,10 +1292,10 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispositi case $level in ULOG) - iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" + iptables $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix" ;; *) - iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" + iptables $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix" ;; esac @@ -1300,7 +1312,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo shift;shift;shift - log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" $@ + log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@ } # @@ -1733,32 +1745,71 @@ setup_tunnels() # $1 = name of tunnels file done < $TMP_DIR/tunnels } +# +# Process the ipsec file +# setup_ipsec() { + # + # Add a --set-mss rule to the passed chain + # + set_mss1() # $1 = chain, $2 = MSS + { + eval local policy=\$${1}_policy + if [ "$policy" != NONE ]; then + ensurechain $1 + run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 + fi + } + # + # Set up rules to set MSS to and/or from zone "$zone" + # + set_mss() # $1 = MSS value, $2 = _in, _out or "" + { + if [ $COMMAND != check ]; then + for z in $zones; do + case $2 in + _in) + set_mss1 ${zone}2${z} $1 + ;; + _out) + set_mss1 ${z}2${zone} $1 + ;; + *) + set_mss1 ${z}2${zone} $1 + set_mss1 ${zone}2${z} $1 + ;; + esac + done + fi + } do_options() # $1 = _in, _out or "" - $2 = option list { - local option opts newoptions= + local option opts newoptions= val [ x${2} = x- ] && return opts=$(separate_list $2) for option in $opts; do + val=${option#*=} + case $option in + mss=[0-9]*) set_mss $val $1 ;; strict) newoptions="$newoptions --strict" ;; next) newoptions="$newoptions --next" ;; - reqid=*) newoptions="$newoptions --reqid ${option#*=}" ;; - spi=*) newoptions="$newoptions --spi ${option#*=}" ;; - proto=*) newoptions="$newoptions --proto ${option#*=}" ;; - mode=*) newoptions="$newoptions --mode ${option#*=}" ;; - tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;; - tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;; - reqid!=*) newoptions="$newoptions ! --reqid ${option#*=}" ;; - spi!=*) newoptions="$newoptions ! --spi ${option#*=}" ;; - proto!=*) newoptions="$newoptions ! --proto ${option#*=}" ;; - mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;; - tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;; - tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;; + reqid=*) newoptions="$newoptions --reqid $val" ;; + spi=*) newoptions="$newoptions --spi $val" ;; + proto=*) newoptions="$newoptions --proto $val" ;; + mode=*) newoptions="$newoptions --mode $val" ;; + tunnel-src=*) newoptions="$newoptions --tunnel-src $val" ;; + tunnel-dst=*) newoptions="$newoptions --tunnel-dst $val" ;; + reqid!=*) newoptions="$newoptions ! --reqid $val" ;; + spi!=*) newoptions="$newoptions ! --spi $val" ;; + proto!=*) newoptions="$newoptions ! --proto $val" ;; + mode!=*) newoptions="$newoptions ! --mode $val" ;; + tunnel-src!=*) newoptions="$newoptions ! --tunnel-src $val" ;; + tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst $val" ;; *) fatal_error "Invalid option \"$option\" for zone $zone" ;; esac done @@ -1771,8 +1822,8 @@ setup_ipsec() { strip_file ipsec $1 - while read zone ipsec options in_options out_options; do - expandv zone ipsec options in_options out_options + while read zone ipsec options in_options out_options mss; do + expandv zone ipsec options in_options out_options mss [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" @@ -1793,7 +1844,7 @@ setup_ipsec() { do_options "" $options do_options "_in" $in_options do_options "_out" $out_options - + done < $TMP_DIR/ipsec } @@ -2242,7 +2293,7 @@ setup_ecn() # $1 = file name # process_tc_rule() { - chain=$MARKING_CHAIN + chain=$MARKING_CHAIN target="MARK --set-mark" marktest= verify_designator() { [ "$chain" = tcout ] && \ @@ -2292,11 +2343,20 @@ process_tc_rule() esac fi + [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " + [ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) " - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}--dport $port " + + if [ "x$proto" = xipp2p ]; then + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-p tcp -m ipp2p --${port} " + else + [ "x$proto" = "x-" ] && proto=all + [ "x$proto" = "x" ] && proto=all + [ "$proto" = "all" ] || r="${r}-p $proto " + [ "x$port" = "x-" ] || r="${r}--dport $port " + fi + [ "x$sport" = "x-" ] || r="${r}--sport $sport " case $chain in @@ -2304,7 +2364,7 @@ process_tc_rule() run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark ;; *) - run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark + run_iptables2 -t mangle -A $chain $r -j $target $mark ;; esac @@ -2315,16 +2375,71 @@ process_tc_rule() p|P) verify_designator tcpre ;; + cp|CP) + verify_designator tcpre + target="CONNMARK --set-mark" + ;; f|F) verify_designator tcfor ;; + cf|CF) + verify_designator tcfor + target="CONNMARK --set-mark" + ;; + c|C) + target="CONNMARK --set-mark" + mark=${mark%:*} + ;; *) chain=tcpost ;; esac - fi + case $mark in + SAVE) + target="CONNMARK --save-mark" + mark= + ;; + SAVE/*) + target="CONNMARK --save-mark --mask" + mark=${mark#*/} + ;; + RESTORE) + target="CONNMARK --restore-mark" + mark= + ;; + RESTORE/*) + target="CONNMARK --restore-mark --mask" + mark=${mark#*/} + ;; + CONTINUE) + target=RETURN + mark= + ;; + esac + + case $testval in + -) + ;; + !*:C) + marktest="connmark ! " + testval=${testval%:*} + testval=${testval#!} + ;; + *:C) + marktest="connmark " + testval=${testval%:*} + ;; + !*) + marktest="mark ! " + testval=${testval#!} + ;; + *) + [ -n "$testval" ] && marktest="mark " + ;; + esac + for source in $(separate_list ${sources:=-}); do for dest in $(separate_list ${dests:=-}); do for port in $(separate_list ${ports:=-}); do @@ -2355,9 +2470,9 @@ setup_tc1() { # strip_file tcrules - while read mark sources dests proto ports sports user; do - expandv mark sources dests proto ports sports user - rule=$(echo "$mark $sources $dests $proto $ports $sports $user") + while read mark sources dests proto ports sports user testval; do + expandv mark sources dests proto ports sports user testval + rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval") process_tc_rule done < $TMP_DIR/tcrules # @@ -2506,6 +2621,10 @@ process_accounting_rule() { [ -n "$proto" ] && case $proto in -|any|all) ;; + ipp2p) + rule="$rule -p tcp -m ipp2p --${port:-ipp2p}" + port= + ;; *) rule="$rule -p $proto" ;; @@ -2631,6 +2750,7 @@ check_config() { echo "Determining Zones..." determine_zones + check_dupliate_zones [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" @@ -2859,7 +2979,7 @@ add_an_action() for serv1 in $(separate_list $serv); do for srv in $(firewall_ip_range $serv1); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports) fi @@ -2869,7 +2989,7 @@ add_an_action() done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dest_interface $dports) fi @@ -3379,8 +3499,8 @@ process_actions3() { ;; *) if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -m pkttype --pkt-type multicast + log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast fi ;; esac @@ -3394,7 +3514,7 @@ process_actions3() { ;; *) [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -d $address + log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -A -d $address ;; esac @@ -3411,8 +3531,8 @@ process_actions3() { ;; *) if [ -n "$xlevel" ]; then - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast + log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type broadcast + log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -m pkttype --pkt-type multicast fi ;; esac @@ -3426,7 +3546,7 @@ process_actions3() { ;; *) [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address + log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -A -d $address ;; esac @@ -3440,28 +3560,28 @@ process_actions3() { if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j DROP fi ;; dropNotSyn) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j DROP fi ;; rejNotSyn) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn + log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -A -p tcp ! --syn run_iptables -A $xchain -p tcp ! --syn -j REJECT --reject-with tcp-reset fi ;; dropInvalid) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -m state --state INVALID + log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j DROP fi ;; @@ -3612,7 +3732,7 @@ add_nat_rule() { else for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \ + log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -A -t nat \ $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports) fi @@ -3643,7 +3763,7 @@ add_nat_rule() { done if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat fi addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection @@ -3651,7 +3771,7 @@ add_nat_rule() { for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then ensurenatchain $chain - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) fi @@ -3806,6 +3926,12 @@ add_a_rule() fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" proto= ;; + ipp2p) + sport="-m ipp2p --${port:-ipp2p}" + port= + proto=tcp + do_ports + ;; *) [ -n "$port" ] && \ fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" @@ -3858,7 +3984,7 @@ add_a_rule() if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi @@ -3867,7 +3993,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi @@ -3883,7 +4009,7 @@ add_a_rule() done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $sports $multiport $cli $dports) fi @@ -3907,7 +4033,7 @@ add_a_rule() if [ $COMMAND != check ]; then if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \ + log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) fi @@ -4823,12 +4949,12 @@ setup_masq() source="$networks" - case $networks in + case $source in *.*.*) ;; *) networks=$(get_routed_networks $networks) - [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface $networks" + [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" networks="$networks" ;; esac @@ -5387,6 +5513,7 @@ initialize_netfilter () { echo "Determining Zones..." determine_zones + check_duplicate_zones [ -z "$zones" ] && startup_error "No Zones Defined" @@ -6083,6 +6210,7 @@ activate_rules() fi } + # # Add jumps to early SNAT chains # @@ -6112,19 +6240,20 @@ activate_rules() # Create forwarding chains for complex zones and generate jumps for IPSEC source hosts to that chain. # for zone in $zones; do - if eval test -n \$${zone}_is_complex ; then + if eval test -n \"\$${zone}_is_complex\" ; then frwd_chain=${zone}_frwd createchain $frwd_chain No if [ -n "$POLICY_MATCH" ]; then - eval source_hosts=\$${zone}_hosts + eval is_ipsec=\$${zone}_is_ipsec + + [ -n "$is_ipsec" ] && eval source_hosts=\$${zone}_hosts || eval source_hosts=\$${zone}_ipsec_hosts for host in $source_hosts; do interface=${host%%:*} networks=${host#*:} - is_ipsec_host $zone $host && \ - run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain done fi fi @@ -6138,6 +6267,8 @@ activate_rules() eval complex=\$${zone}_is_complex + [ -n "$complex" ] && frwd_chain=${zone}_frwd + if [ -n "$DYNAMIC_ZONES" ]; then echo $zone $source_hosts >> ${STATEDIR}/zones echo "$FW $zone $chain1" >> ${STATEDIR}/chains @@ -6288,6 +6419,26 @@ activate_rules() run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT done + + if [ -n "$LOGALLNEW" ]; then + for table in mangle nat filter; do + case $table in + mangle) + chains="PREROUTING INPUT FORWARD POSTROUTING" + ;; + nat) + chains="PREROUTING POSTROUTING OUTPUT" + ;; + *) + chains="INPUT FORWARD OUTPUT" + ;; + esac + + for chain in $chains; do + log_rule_limit $LOGALLNEW $chain $table $chain "" "" -I -m state --state NEW -t $table + done + done + fi } # @@ -6869,6 +7020,7 @@ do_initialize() { RETAIN_ALIASES= DELAYBLACKLISTLOAD= LOGTAGONLY= + LOGALLNEW= RESTOREBASE= TMP_DIR= diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index a39c0b788..6e5ee9932 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.1.11 +2.2.0-Beta1