diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index e29cfde0a..5e6e7137f 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -275,33 +275,43 @@ stop_firewall() { deletechain shorewall - determine_capabilities - run_stop_exit; - if [ -n "$MANGLE_ENABLED" ]; then - run_iptables -t mangle -F - run_iptables -t mangle -X - for chain in PREROUTING INPUT FORWARD POSTROUTING; do - qt $IPTABLES -t mangle -P $chain ACCEPT - done - fi +EOF - if [ -n "$RAW_TABLE" ]; then - run_iptables -t raw -F - run_iptables -t raw -X - for chain in PREROUTING OUTPUT; do - qt $IPTABLES -t raw -P $chain ACCEPT - done - fi + if ( $capabilities{MANGLE_ENABLED} ) { + emit <<'EOF'; + run_iptables -t mangle -F + run_iptables -t mangle -X + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt $IPTABLES -t mangle -P $chain ACCEPT + done - if [ -n "$NAT_ENABLED" ]; then +EOF + } + + if ( $capabilities{RAW_TABLE} ) { + emit <<'EOF'; + run_iptables -t raw -F + run_iptables -t raw -X + for chain in PREROUTING OUTPUT; do + qt $IPTABLES -t raw -P $chain ACCEPT + done + +EOF + } + + if ( $capabilities{NAT_ENABLED} ) { + emit <<'EOF'; delete_nat for chain in PREROUTING POSTROUTING OUTPUT; do qt $IPTABLES -t nat -P $chain ACCEPT done - fi +EOF + } + + emit <<'EOF'; if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub diff --git a/Shorewall-perl/diff-4.0-lib.base b/Shorewall-perl/diff-4.0-lib.base index d2b4b4209..f1a1cfa1c 100644 --- a/Shorewall-perl/diff-4.0-lib.base +++ b/Shorewall-perl/diff-4.0-lib.base @@ -1,15 +1,15 @@ --- ../Shorewall-common/lib.base 2007-07-02 15:50:32.000000000 -0700 -+++ prog.header 2007-07-02 16:27:59.000000000 -0700 ++++ prog.header 2007-07-02 16:50:14.000000000 -0700 @@ -1,48 +1,29 @@ #!/bin/sh # -# Shorewall 4.0 -- /usr/share/shorewall/lib.base -+# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4 ++# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.0 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net) -+# (c) 2006 - Tom Eastep (teastep@shorewall.net) ++# (c) 2006,2007 - Tom Eastep (teastep@shorewall.net) # -# Complete documentation is available at http://shorewall.net # @@ -291,10 +291,163 @@ # Set the Shorewall state # set_state () # $1 = state -@@ -1127,46 +920,6 @@ - +@@ -974,200 +767,6 @@ } + # +-# Determine which optional facilities are supported by iptables/netfilter +-# +-determine_capabilities() { +- qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= +- qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= +- +- CONNTRACK_MATCH= +- MULTIPORT= +- XMULTIPORT= +- POLICY_MATCH= +- PHYSDEV_MATCH= +- IPRANGE_MATCH= +- RECENT_MATCH= +- OWNER_MATCH= +- IPSET_MATCH= +- CONNMARK= +- XCONNMARK= +- CONNMARK_MATCH= +- XCONNMARK_MATCH= +- RAW_TABLE= +- IPP2P_MATCH= +- LENGTH_MATCH= +- CLASSIFY_TARGET= +- ENHANCED_REJECT= +- USEPKTTYPE= +- KLUDGEFREE= +- MARK= +- XMARK= +- MANGLE_FORWARD= +- COMMENTS= +- ADDRTYPE= +- TCPMSS_MATCH= +- +- qt $IPTABLES -N fooX1234 +- qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes +- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes +- qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes +- qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes +- +- if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then +- PHYSDEV_MATCH=Yes +- fi +- +- if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then +- IPRANGE_MATCH=Yes +- if [ -z "${KLUDGEFREE}" ]; then +- qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes +- fi +- fi +- +- qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes +- qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes +- +- if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then +- CONNMARK_MATCH=Yes +- qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes +- fi +- +- qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes +- qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes +- qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes +- +- qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes +- +- if [ -n "$MANGLE_ENABLED" ]; then +- qt $IPTABLES -t mangle -N fooX1234 +- +- if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then +- MARK=Yes +- qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes +- fi +- +- if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then +- CONNMARK=Yes +- qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes +- fi +- +- qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes +- qt $IPTABLES -t mangle -F fooX1234 +- qt $IPTABLES -t mangle -X fooX1234 +- qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes +- fi +- +- qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes +- +- if qt mywhich ipset; then +- qt ipset -X fooX1234 # Just in case something went wrong the last time +- +- if qt ipset -N fooX1234 iphash ; then +- if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then +- qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT +- IPSET_MATCH=Yes +- fi +- qt ipset -X fooX1234 +- fi +- fi +- +- qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes +- qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes +- qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes +- +- qt $IPTABLES -F fooX1234 +- qt $IPTABLES -X fooX1234 +- +- CAPVERSION=$SHOREWALL_CAPVERSION +-} +- +-report_capabilities() { +- report_capability() # $1 = Capability Description , $2 Capability Setting (if any) +- { +- local setting= +- +- [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" +- +- echo " " $1: $setting +- } +- +- if [ $VERBOSE -gt 1 ]; then +- echo "Shorewall has detected the following iptables/netfilter capabilities:" +- report_capability "NAT" $NAT_ENABLED +- report_capability "Packet Mangling" $MANGLE_ENABLED +- report_capability "Multi-port Match" $MULTIPORT +- [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT +- report_capability "Connection Tracking Match" $CONNTRACK_MATCH +- report_capability "Packet Type Match" $USEPKTTYPE +- report_capability "Policy Match" $POLICY_MATCH +- report_capability "Physdev Match" $PHYSDEV_MATCH +- report_capability "Packet length Match" $LENGTH_MATCH +- report_capability "IP range Match" $IPRANGE_MATCH +- report_capability "Recent Match" $RECENT_MATCH +- report_capability "Owner Match" $OWNER_MATCH +- report_capability "Ipset Match" $IPSET_MATCH +- report_capability "CONNMARK Target" $CONNMARK +- [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK +- report_capability "Connmark Match" $CONNMARK_MATCH +- [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH +- report_capability "Raw Table" $RAW_TABLE +- report_capability "IPP2P Match" $IPP2P_MATCH +- report_capability "CLASSIFY Target" $CLASSIFY_TARGET +- report_capability "Extended REJECT" $ENHANCED_REJECT +- report_capability "Repeat match" $KLUDGEFREE +- report_capability "MARK Target" $MARK +- [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK +- report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD +- report_capability "Comments" $COMMENTS +- report_capability "Address Type Match" $ADDRTYPE +- report_capability "TCPMSS Match" $TCPMSS_MATCH +- fi +- +- [ -n "$PKTTYPE" ] || USEPKTTYPE= +- +-} +- -report_capabilities1() { - report_capability1() # $1 = Capability - { @@ -335,10 +488,11 @@ - echo CAPVERSION=$SHOREWALL_CAPVERSION -} - - # +-# # Delete IP address # -@@ -1286,82 +1039,6 @@ + del_ip_addr() # $1 = address, $2 = interface +@@ -1286,82 +885,6 @@ cut -b -${1} } @@ -421,7 +575,7 @@ delete_tc1() { clear_one_tc() { -@@ -1496,65 +1173,3 @@ +@@ -1496,65 +1019,3 @@ echo echo } diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header index 845f69ce8..0e4397bb8 100644 --- a/Shorewall-perl/prog.header +++ b/Shorewall-perl/prog.header @@ -1,10 +1,10 @@ #!/bin/sh # -# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4 +# Generated by the Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.0 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # -# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# (c) 2006,2007 - Tom Eastep (teastep@shorewall.net) # # # Options are: @@ -766,160 +766,6 @@ set_state () # $1 = state echo "$1 ($(date))" > ${VARDIR}/state } -# -# Determine which optional facilities are supported by iptables/netfilter -# -determine_capabilities() { - qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= - qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - - CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - IPSET_MATCH= - CONNMARK= - XCONNMARK= - CONNMARK_MATCH= - XCONNMARK_MATCH= - RAW_TABLE= - IPP2P_MATCH= - LENGTH_MATCH= - CLASSIFY_TARGET= - ENHANCED_REJECT= - USEPKTTYPE= - KLUDGEFREE= - MARK= - XMARK= - MANGLE_FORWARD= - COMMENTS= - ADDRTYPE= - TCPMSS_MATCH= - - qt $IPTABLES -N fooX1234 - qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes - qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes - qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes - - if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then - PHYSDEV_MATCH=Yes - fi - - if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then - IPRANGE_MATCH=Yes - if [ -z "${KLUDGEFREE}" ]; then - qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes - fi - fi - - qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes - qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes - - if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then - CONNMARK_MATCH=Yes - qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes - fi - - qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes - qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes - qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes - - qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes - - if [ -n "$MANGLE_ENABLED" ]; then - qt $IPTABLES -t mangle -N fooX1234 - - if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then - MARK=Yes - qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes - fi - - if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then - CONNMARK=Yes - qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes - fi - - qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes - qt $IPTABLES -t mangle -F fooX1234 - qt $IPTABLES -t mangle -X fooX1234 - qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes - fi - - qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes - - if qt mywhich ipset; then - qt ipset -X fooX1234 # Just in case something went wrong the last time - - if qt ipset -N fooX1234 iphash ; then - if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then - qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT - IPSET_MATCH=Yes - fi - qt ipset -X fooX1234 - fi - fi - - qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes - qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes - qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes - - qt $IPTABLES -F fooX1234 - qt $IPTABLES -X fooX1234 - - CAPVERSION=$SHOREWALL_CAPVERSION -} - -report_capabilities() { - report_capability() # $1 = Capability Description , $2 Capability Setting (if any) - { - local setting= - - [ "x$2" = "xYes" ] && setting="Available" || setting="Not available" - - echo " " $1: $setting - } - - if [ $VERBOSE -gt 1 ]; then - echo "Shorewall has detected the following iptables/netfilter capabilities:" - report_capability "NAT" $NAT_ENABLED - report_capability "Packet Mangling" $MANGLE_ENABLED - report_capability "Multi-port Match" $MULTIPORT - [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT - report_capability "Connection Tracking Match" $CONNTRACK_MATCH - report_capability "Packet Type Match" $USEPKTTYPE - report_capability "Policy Match" $POLICY_MATCH - report_capability "Physdev Match" $PHYSDEV_MATCH - report_capability "Packet length Match" $LENGTH_MATCH - report_capability "IP range Match" $IPRANGE_MATCH - report_capability "Recent Match" $RECENT_MATCH - report_capability "Owner Match" $OWNER_MATCH - report_capability "Ipset Match" $IPSET_MATCH - report_capability "CONNMARK Target" $CONNMARK - [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK - report_capability "Connmark Match" $CONNMARK_MATCH - [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH - report_capability "Raw Table" $RAW_TABLE - report_capability "IPP2P Match" $IPP2P_MATCH - report_capability "CLASSIFY Target" $CLASSIFY_TARGET - report_capability "Extended REJECT" $ENHANCED_REJECT - report_capability "Repeat match" $KLUDGEFREE - report_capability "MARK Target" $MARK - [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK - report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD - report_capability "Comments" $COMMENTS - report_capability "Address Type Match" $ADDRTYPE - report_capability "TCPMSS Match" $TCPMSS_MATCH - fi - - [ -n "$PKTTYPE" ] || USEPKTTYPE= - -} - # # Delete IP address #