From 6cabdfae5d9ba7c7705b8e6e2752726c11035b23 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 19 Feb 2003 23:52:03 +0000
Subject: [PATCH] More 1.3.14 Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@456 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    | 11 ++++-
 Shorewall/firewall         | 88 +++++++++++++++++++-------------------
 Shorewall/hosts            | 51 ++++++----------------
 Shorewall/interfaces       |  3 --
 Shorewall/releasenotes.txt | 27 ++++++++++--
 Shorewall/routestopped     |  2 +-
 Shorewall/rules            | 23 ++++++----
 Shorewall/shorewall.conf   | 11 -----
 8 files changed, 106 insertions(+), 110 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index a5ba3df89..b538bc30a 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -31,4 +31,13 @@ Changes since 1.3.14
 
 13. Update Documentation for 1.4
 
-13. Remove icmp.def file.
+14. Remove icmp.def file.
+
+15. Added CONTINUE rule target.
+
+16. Added Andrew Zhoglo's fix for logunclean.
+
+17. Removed 'multi' option.
+
+18. Support 802.11b devices with maclist.
+
diff --git a/Shorewall/firewall b/Shorewall/firewall
index c4c77e3de..68030f85e 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -310,7 +310,7 @@ havenatchain() # $1 = name of chain
 }
 
 #
-# Ensure that a chain exists (create it if it doesn't)
+# Ensure that a nat chain exists (create it if it doesn't)
 #
 ensurenatchain() # $1 = chain name
 {
@@ -493,7 +493,7 @@ determine_interfaces() {
     for zone in $zones; do
 	interfaces=`find_interfaces $zone`
 	interfaces=`echo $interfaces` # Remove extra trash
-	eval ${zone}_interfaces="\$interfaces"
+	eval ${zone}_interfaces=\"\$interfaces\"
     done
 }
     
@@ -585,7 +585,7 @@ validate_interfaces_file() {
 
 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|multi|tcpflags)
+		dhcp|norfc1918|tcpflags)
 		    ;;
 		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		    ;;
@@ -728,10 +728,6 @@ validate_rule() {
 		[ -n "$port" ] && dports="--icmp-type $port"
 		state=""
 		;;
-	    related|RELATED)
-		proto=
-		state="-m state --state RELATED"
-		;;
 	    *)
 		state=
 		[ -n "$port" ] && [ "x${port}" != "x-" ] && \
@@ -754,6 +750,12 @@ validate_rule() {
 		startup_error "Server port may not be specified in an ACCEPT rule;"\
                               "rule: \"$rule\""
 	    ;;
+	CONTINUE)
+	    target=RETURN
+	    [ -n "$servport" ] && \
+		startup_error "Server port may not be specified in a CONTINUE rule;"\
+                              "rule: \"$rule\""
+	    ;;
 	LOG)
 	    [ -n "$servport" ] && \
 		startup_error "Server port may not be specified in an LOG rule;"\
@@ -956,7 +958,7 @@ validate_rules() # $1 = name of rules file
 	expandv clients servers protocol ports cports address
 	case "$target" in
 
-	ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*)
+	ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*|LOG*|CONTINUE*)
 	    rule="`echo $target $clients $servers $protocol $ports $cports $address`"
 	    validate_rule
 	    ;;
@@ -1261,8 +1263,10 @@ stop_firewall() {
 
     while read interface host; do
 	expandv interface host
-	[ "x$host" = "x-" ] && host=
-	hosts="$hosts $interface:${host:-0.0.0.0/0}"
+	[ "x$host" = "x-" ] && host=0.0.0.0/0
+	for h in `separate_list $host`; do
+	    hosts="$hosts $interface:$h"
+	done
     done < $TMP_DIR/routestopped
 
     for host in $hosts; do
@@ -1553,10 +1557,10 @@ setup_mac_lists() {
     #
     for interface in $maclist_interfaces; do
 	case $interface in
-	    eth*)
+	    eth*|wlan*)
 		;;
 	    *)
-		fatal_error "MAC verification is only supported on ethernet devices: $interface"
+		fatal_error "MAC verification is only supported on ethernet and 802.11b devices: $interface"
 		;;
 	esac
 
@@ -2156,10 +2160,6 @@ add_a_rule()
 		fatal_error "Port number not allowed with \"all\"; rule: \"$rule\""
 	    proto=
 	    ;;
-	related|RELATED)
-	    proto=
-	    state="-m state --state RELATED"
-	    ;;
 	*)
 	    state=
 	    [ -n "$port" ] && [ "x${port}" != "x-" ] && \
@@ -2443,9 +2443,9 @@ process_rules() # $1 = name of rules file
     }
 
     while read xtarget xclients xservers xprotocol xports xcports xaddress; do
-	case "$xtarget" in
+	case "${xtarget%:*}" in
 
-	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*|LOG|LOG:*)
+	    ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|LOG|CONTINUE)
 		expandv xclients xservers xprotocol xports xcports xaddress
 
 		if [ "x$xclients" = xall ]; then
@@ -3049,19 +3049,6 @@ setup_masq()
     done < $TMP_DIR/masq
 }
 
-#
-# Setup Intrazone chain if appropriate
-#
-setup_intrazone() # $1 = zone
-{
-    eval hosts=\$${1}_hosts
-
-    if [ "$hosts" != "${hosts% *}" ] || \
-	have_interfaces_in_zone_with_option $1 multi
-    then
-	ensurechain ${1}2${1}
-    fi
-}
 #
 # Add a record to the blacklst chain
 #
@@ -3498,10 +3485,10 @@ add_common_rules() {
 
 	if [ -n "$LOGUNCLEAN" ]; then
             if [ "$LOGUNCLEAN" = ULOG ]; then
-		logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:badpkt:DROP:"
+		logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:badpkt:DROP:"
 		logoptions="$logoptions --log-ip-options"
 	    else
-		logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
+		logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:badpkt:DROP:"
 		logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
 	    fi
 
@@ -3530,10 +3517,10 @@ add_common_rules() {
 	[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
 
 	if [ "$LOGUNCLEAN" = ULOG ]; then
-	    logoptions="-j ULOG $LOGPARAMS --ulog-prefix Shorewall:logpkt:LOG:"
+	    logoptions="-j ULOG $LOGPARMS --ulog-prefix Shorewall:logpkt:LOG:"
 	    logoptions="$logoptions --log-ip-options"
 	else
-	    logoptions="-j LOG $LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
+	    logoptions="-j LOG $LOGPARMS --log-prefix Shorewall:logpkt:LOG:"
 	    logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
 	fi
 
@@ -3776,11 +3763,11 @@ apply_policy_rules() {
 	fi
 
     done
+
     #
     # Add policy rules to canonical chains
     #
     for zone in $FW $zones; do
-	setup_intrazone $zone
 	for zone1 in $FW $zones; do
 	    chain=${zone}2${zone1}
 	    if havechain $chain; then
@@ -3845,8 +3832,6 @@ activate_rules()
 	addnatjump POSTROUTING `output_chain $interface` -o $interface
     done
 
-    multi_interfaces=`find_interfaces_by_option multi`
-
     > ${STATEDIR}/chains
     > ${STATEDIR}/zones
 
@@ -3896,14 +3881,14 @@ activate_rules()
 		chain1=`forward_chain $interface`
 		
 		if [ -n "$have_canonical" ]; then
-		    multi=yes
+		    bounce=yes
 		else
 		    case $interface in
 			*+*)
-			    multi=yes
+			    bounce=yes
 			    ;;
 			*)
-			    list_search $interface $multi_interfaces && multi=yes || multi=
+			    bounce=
 			    ;;
 		    esac
 		fi
@@ -3912,9 +3897,8 @@ activate_rules()
 		    interface1=${host1%:*}
 		    subnet1=${host1#*:}
 
-		    if [ $interface != $interface1 -o -n "$multi" ]; then
-			run_iptables -A $chain1 -s $subnet \
-			    -o $interface1 -d $subnet1 -j $chain
+		    if [ $interface != $interface1 -o -n "$bounce" ]; then
+			run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
 		    fi
 		done
 	    done
@@ -4053,6 +4037,8 @@ check_config() {
 	
     validate_hosts_file
 		
+    validate_bounce_file
+
     echo "Determining Hosts in Zones..."
 
     determine_interfaces
@@ -4204,7 +4190,19 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # If the zone passed in the command has a dnat chain then insert a rule in
     # the nat table PREROUTING chain to jump to that chain when the source
-    # matches the new host(s)
+    # matches the new host(s)#
+# Setup Intrazone chain if appropriate
+#
+setup_intrazone() # $1 = zone
+{
+    eval hosts=\$${1}_hosts
+
+    if have_interfaces_in_zone_with_option $1 multi; then
+	ensurechain ${1}2${1}
+    fi
+}
+
+
     #
     chain=${zone}_dnat
 
diff --git a/Shorewall/hosts b/Shorewall/hosts
index cad5e062e..454bdd571 100644
--- a/Shorewall/hosts
+++ b/Shorewall/hosts
@@ -1,45 +1,22 @@
 #
-# Shorewall 1.4 - /etc/shorewall/hosts
+# Shorewall 1.4 - /etc/shorewall/bounce
 #
-#    WARNING: 90% of Shorewall users don't need to add entries to this
-#             file and 80% of those who try to add such entries get it
-#	      wrong. Unless you are ABSOLUTELY SURE that you need entries
-#	      in this file, don't touch it!
+#	Normally, Shorewall assumes that the firewall/gateway will not be
+#	routing requests back out the same interface that they came in on.
+#	If you have such requirements, they should be defined here.
 #
-#	This file is used to define zones in terms of subnets and/or
-#	individual IP addresses. Most simple setups don't need to
-#	(should not) place anything in this file. Note that if you 
-#	assign one or more interfaces to a zone in /etc/shorewall/interfaces,
-#	the hosts/networks that you define for the zone in the file will be
-#	IN ADDITION to those interfaces.
+#	Columns are:
 #
-#	ZONE	- The name of a zone defined in /etc/shorewall/zones
+#		INTERFACE		The name of an interfaces defined 
+#					in /etc/shorewall/interfaces
 #
-#	HOST(S)	- The name of an interface followed by a colon (":") and
-#		  either:
+#		SOURCE			The name of a zone followed by a 
+#					colon (":") and the  address of a
+#					host or subnet.
 #
-#			a) The IP address of a host
-#			b) A subnetwork in CIDR format
-#			   (<subnet-address>/<mask width>)
-#		  
-#		  The interface must be defined in the
-#		  /etc/shorewall/interfaces file.
+#		DESTINATION		The name of a zone followed by a
+#					colon and the address of a host
+#					or subnet.
 #
-#		  Examples:
-#
-#			eth1:192.168.1.3
-#			eth2:192.168.2.0/24	
-#
-#	OPTIONS - A comma-separated list of options. Currently-defined
-#		  options are:
-#
-#			maclist	     - Connection requests from these hosts
-#				       are compared against the contents of
-#				       /etc/shorewall/maclist. If this option
-#				       is specified, the interface must be
-#				       an ethernet NIC and must be up before
-#				       Shorewall is started.
-#
-#
-#ZONE		HOST(S)		OPTIONS
+#INTERFACE		SOURCE		DESTINATION
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
diff --git a/Shorewall/interfaces b/Shorewall/interfaces
index 3529fcfbb..9bbbfa296 100644
--- a/Shorewall/interfaces
+++ b/Shorewall/interfaces
@@ -54,9 +54,6 @@
 #				       enabled in shorewall.conf, packets
 #				       whose destination addresses are
 #				       reserved by RFC 1918 are also rejected.
-#			multi	     - This interface has multiple IP
-#				       addresses and you want to be able to
-#				       route between them.
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #                                      option can also be enabled globally in
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index e6728c89b..02111a2e3 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,6 +1,6 @@
 This is a major release of Shorewall.
 
-Function from 1.3 that has been omitted from this version include:
+Function from 1.3 that has been omitted from this version includes:
 
 1) The MERGE_HOSTS variable in shorewall.conf is no longer
    supported. Shorewall 1.4 behavior is the same as 1.3 with
@@ -25,6 +25,20 @@ Function from 1.3 that has been omitted from this version include:
    supported. Shorewall 1.4 behavior is the same as 1.3 with
    ALLOWRELATED=Yes.
 
+7. The 'multi' interface option is no longer supported. Shorewall will
+   generate rules for sending packets back out the same interface
+   that they arrived on in two cases:
+
+   a) There is an _explicit_ policy for the source zone to the
+   destination zone. An explicit policy names both zones and does not
+   use the 'all' reserved word.
+
+   b) There are one or more rules for traffic for the source zone to
+   or from the destination zone including rules that use the 'all'
+   reserved word. Exception: If the source and the destination are
+   the same zone then the rule must be explicit - it must name the zone
+   in both the SOURCE and DESTINATION columns.
+
 Changes for 1.4 include:
 
 1. shorewall.conf has been completely reorganized into logical
@@ -38,9 +52,16 @@ Changes for 1.4 include:
 4. Late arriving DNS replies are now silently dropped in the common
    chain by default.
 
-5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 2.0 no
+5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
    longer unconditionally accepts outbound ICMP packets. So if you want
    to 'ping' from the firewall, you will need the appropriate rule or
-   policy. 
+   policy.
+
+6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
+
+7. 802.11b devices with names of the form wlan<n> now support the
+   'maclist' option.
+
+
 
  
diff --git a/Shorewall/routestopped b/Shorewall/routestopped
index 396a25565..0d40dd2fd 100644
--- a/Shorewall/routestopped
+++ b/Shorewall/routestopped
@@ -12,7 +12,7 @@
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
-#			  addresses. If left empty or supplied as "-", 
+#			  If left empty or supplied as "-", 
 #			  0.0.0.0/0 is assumed.
 #
 # Example:
diff --git a/Shorewall/rules b/Shorewall/rules
index 4f7936228..a53055489 100755
--- a/Shorewall/rules
+++ b/Shorewall/rules
@@ -30,18 +30,25 @@
 #					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
+#				CONTINUE -- (For experts only). Do not process
+#					    any of the following rules for this
+#					    (source zone,destination zone). If
+#					    The source and/or destination IP
+#					    address falls into a zone defined
+#					    later in /etc/shorewall/zones, this
+#					    connection request will be passed
+#					    to the rules defined for that
+#					    (those) zone(s).
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
-#			Beginning with Shorewall version 1.3.12, you may
-#			also specify ULOG (must be in upper case) as a log level.\
-#			This will log to the ULOG target and sent to a separate log
-#			through use of ulogd
+#			You may also specify ULOG (must be in upper case) as a
+#			log level.This will log to the ULOG target for routing
+#			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
-#
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or
@@ -106,10 +113,8 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
-#			"all" or "related". If "related", the remainder of the
-#			entry must be omitted and connection requests that are
-#			related to existing requests will be accepted.
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
+#			"all".
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index 625b42322..af413a36a 100755
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -212,17 +212,6 @@ MODULESDIR=
 #
 FW=fw
 
-# ALLOW RELATED CONNECTIONS
-#
-# Set this to "yes" or "Yes" if you want to accept all connection requests
-# that are related to already established connections. For example, you want
-# to accept FTP data connections. If you say "no" here, then to accept
-# these connections between particular zones or hosts, you must include
-# explicit "related" rules in /etc/shorewall/rules.
-#
-
-ALLOWRELATED=yes
-
 #
 # ENABLE NAT SUPPORT
 #