Changes for 1.3.5

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@152 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp/etc/init.d/shorewall

@@ -435,7 +435,7 @@ determine_hosts() {
 	done
     }
 
-    recalculate_hosts()
+    recalculate_interfaces()
     {
 	interfaces=
 	
@@ -457,12 +457,18 @@ determine_hosts() {
 	hosts=`find_hosts $zone`
 	hosts=`echo $hosts` # Remove extra trash
 
-	if [ -n "$hosts" ]; then
+	if [ -n "MERGE_HOSTS" ]; then
+	    ####################################################################
+	    # Zone will be the union of its host and interface definitions
+	    #
+	    do_a_zone
+	    recalculate_interfaces
+	elif [ -n "$hosts" ]; then
 	    ####################################################################
 	    # Zone is defined in terms of hosts -- derive the interface list
 	    # from the host list
 	    #
-	    recalculate_hosts
+	    recalculate_interfacess
 	else
 	    ####################################################################
 	    # If no hosts are defined for a zone then the zone consists of any
@@ -658,6 +664,14 @@ validate_rule() {
 	case "$logtarget" in
 	REJECT)
 	    target=reject
+	    [ -n "$servport" ] && \
+		startup_error "Error: server port may not be specified in a REJECT rule;"\
+                              "rule: \"$rule\""
+	    ;;
+	ACCEPT)
+	    [ -n "$servport" ] && \
+		startup_error "Error: server port may not be specified in an ACCEPT rule;"\
+                              "rule: \"$rule\""
 	    ;;
 	REDIRECT)
 	    [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
@@ -747,6 +761,8 @@ validate_rule() {
     else
 	clientzone="${clients%:*}"
 	clients="${clients#*:}"
+	[ -z "$clientzone" -o -z "$clients" ] && \
+	   startup_error "Error: Empty source zone or qualifier: rule \"$rule\""
     fi
     
     if [ "$clientzone" = "${clientzone%\!*}" ]; then
@@ -782,8 +798,12 @@ validate_rule() {
 	if [ "$servers" != "${servers%:*}" ] ; then
 	    serverport="${servers#*:}"
 	    servers="${servers%:*}"
+	    [ -z "$serverzone" -o -z "$serverport" ] && \
+	        startup_error "Error: Empty destination zone or server port: rule \"$rule\""
 	else
 	    serverport=
+	    [ -z "$serverzone" -o -z "$servers" ] && \
+	        startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
 	fi
     fi
     ############################################################################
@@ -1297,31 +1317,8 @@ setup_nat() {
 	fi
 
 	if [ -n "$ADD_IP_ALIASES" ]; then
-	    #
-	    # Folks feel uneasy if they don't see all of the same
-	    # decoration on these IP addresses that they see when their
-	    # distro's net config tool adds them. In an attempt to reduce
-	    # the anxiety level, we have the following code which sets
-	    # the VLSM and BRD from the primary address
-	    #
-	    # Get all of the lines that contain inet addresses with broadcast
-	    #
-	    val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
-
-	    if [ -n "$val" ] ; then
-		#
-		# Hack off the leading 'inet <ip addr>' (actually cut off the
-		# "/" as well but add it back in).
-		#
-		val="/${val#*/}"
-		#
-		# Now get the VLSM, "brd" and the broadcast address
-		#
-		val=${val%% scope*}
-	    fi
-
-	    run_ip addr add ${external}${val} dev $interface
-	    echo "$external $interface" >> ${STATEDIR}/nat
+	    list_search $external $aliases_to_add || \
+		aliases_to_add="$aliases_to_add $external $interface"
 	fi
 
 	echo "   Host $internal NAT $external on $interface"
@@ -1678,10 +1675,16 @@ add_a_rule()
     case "$logtarget" in
 	REJECT)
 	    target=reject
+	    [ -n "$servport" ] && \
+		fatal_error "Error: server port may not be specified in a REJECT rule;"\
+                            "rule: \"$rule\""
 	    ;;
 	REDIRECT)
 	    [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\
 		" specify a server IP; rule: \"$rule\""
+	    [ -n "$servport" ] && \
+		startup_error "Error: server port may not be specified in an ACCEPT rule;" \
+		              "rule: \"$rule\""
 	    servport=${servport:=$port}
 	    ;;
 	DNAT)
@@ -1790,6 +1793,8 @@ process_rule() {
     else
 	clientzone="${clients%:*}"
 	clients="${clients#*:}"
+	[ -z "$clientzone" -o -z "$clients" ] && \
+	   fatal_error "Error: Empty source zone or qualifier: rule \"$rule\""
     fi
     
     if [ "$clientzone" = "${clientzone%\!*}" ]; then
@@ -1822,8 +1827,12 @@ process_rule() {
 	if [ "$servers" != "${servers%:*}" ] ; then
 	    serverport="${servers#*:}"
 	    servers="${servers%:*}"
+	    [ -z "$serverzone" -o -z "$serverport" ] && \
+	        fatal_error "Error: Empty destination zone or server port: rule \"$rule\""
 	else
 	    serverport=
+	    [ -z "$serverzone" -o -z "$servers" ] && \
+	        startup_error "Error: Empty destination zone or qualifier: rule \"$rule\""
 	fi
     fi
 
@@ -2403,16 +2412,8 @@ setup_masq()
 	esac
 
 	if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
-	    qt ip addr del $address dev $interface
-
-	    val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
-	    if [ -n "$val" ] ; then
-		val="/${val#*/}"
-		val=${val%% scope*}
-	    fi
-	    run_ip addr add ${address}${val} dev $interface
-
-	    echo "$address $interface" >> ${STATEDIR}/nat
+	    list_search $address $aliases_to_add || \
+		aliases_to_add="$aliases_to_add $external $address"
 	fi
 
 	destination=$destnet
@@ -2574,6 +2575,49 @@ verify_os_version() {
     esac
 }
 
+################################################################################
+# Add IP Aliases                                                               #
+################################################################################
+add_ip_aliases() # $* = addresses and devices
+{
+    do_one() 
+    {
+	#
+	# Folks feel uneasy if they don't see all of the same
+	# decoration on these IP addresses that they see when their
+	# distro's net config tool adds them. In an attempt to reduce
+	# the anxiety level, we have the following code which sets
+	# the VLSM and BRD from the primary address
+	#
+	# Get all of the lines that contain inet addresses with broadcast
+	#
+	val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
+
+	if [ -n "$val" ] ; then
+	    #
+	    # Hack off the leading 'inet <ip addr>' (actually cut off the
+	    # "/" as well but add it back in).
+	    #
+	    val="/${val#*/}"
+	    #
+	    # Now get the VLSM, "brd" and the broadcast address
+	    #
+	    val=${val%% scope*}
+	fi
+
+	run_ip addr add ${external}${val} dev $interface
+	echo "$external $interface" >> ${STATEDIR}/nat
+	echo "   IP Address $external added to interface $interface"
+    }
+
+    while [ $# -gt 0 ]; do
+	external=$1
+	interface=$2
+	shift;shift
+	do_one
+    done
+}
+
 ################################################################################
 # Load kernel modules required for Shorewall				       #
 ################################################################################
@@ -3143,10 +3187,16 @@ define_firewall() # $1 = Command (Start or Restart)
 
     activate_rules
 
+    [ -n "$aliases_to_add" ] && \
+	echo "Adding IP Addresses..." && \
+	add_ip_aliases $aliases_to_add
+
     run_user_exit start
 
     createchain shorewall no
 
+    date > /var/lib/shorewall/restarted
+
     report "Shorewall ${1}ed"
 
     rm -rf $TMP_DIR
@@ -3322,10 +3372,13 @@ do_initialize() {
     NAT_BEFORE_RULES=
     MULTIPORT=
     DETECT_DNAT_IPADDRS=
+    MERGE_HOSTS=
+    MUTEX_TIMEOUT=
     stopping=
     have_mutex=
     masq_seq=1
     nonat_seq=1
+    aliases_to_add=
 
     TMP_DIR=/tmp/shorewall-$$
     rm -rf $TMP_DIR
@@ -3396,6 +3449,7 @@ do_initialize() {
     NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
     MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
     DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
+    MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
 }
 
 ################################################################################
@@ -3469,6 +3523,7 @@ case "$command" in
     reset)
 	iptables -L -n -Z -v
 	report "Shorewall Counters Reset"
+	date > /var/lib/shorewall/restarted
 	;;
 
     refresh)

Lrp/etc/shorewall/rules

@@ -71,14 +71,15 @@
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
-#			destination port.
+#			destination port. A destination port may only be
+#			included if the ACTION is DNAT or REDIRECT.
 #
 #			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
 #			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
-#			if the RESULT is REDIRECT, this column needs only to
+#			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
@@ -92,6 +93,8 @@
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			A port range is expressed as <low port>:<high port>.
+#			
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain

Lrp/etc/shorewall/shorewall.conf

@@ -228,8 +228,6 @@ NAT_BEFORE_RULES=Yes
 
 MULTIPORT=No
 
-MULTIPORT=No
-
 # DNAT IP Address Detection
 #
 # Normally when Shorewall encounters the following rule:
@@ -261,4 +259,51 @@ MULTIPORT=No
 
 DETECT_DNAT_IPADDRS=No
 
+# Merge Hosts File
+#
+# The traditional behavior of the /etc/shorewall/hosts file has been that
+# if that file has ANY entry for a zone then the zone must be defined 
+# entirely in the hosts file. This is counter-intuitive and has caused 
+# people some problems.
+#
+# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
+# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
+# are added to the contents described in the /etc/shorewall/interfaces file.
+#
+# Example: Suppose that we have the following interfaces and hosts files:
+#
+# Interfaces:
+#
+#	net	eth0
+#	loc	eth1	
+#	-	ppp+
+#
+# Hosts:
+#
+#	loc	ppp+:192.168.1.0/24
+#	wrk	ppp+:!192.168.1.0/24
+#
+# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
+# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
+# ppp+:192.168.1.0 and eth1:0.0.0.0/0
+#
+# If this variable is not set or is set to the empty value, "No" is assumed.
+
+MERGE_HOSTS=Yes
+
+#
+# Mutex Timeout
+#
+# The value of this variable determines the number of seconds that programs
+# will wait for exclusive access to the Shorewall lock file. After the number
+# of seconds corresponding to the value of this variable, programs will assume
+# that the last program to hold the lock died without releasing the lock.
+#
+# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
+#
+# An appropriate value for this parameter would be twice the length of time
+# that it takes your firewall system to process a "shorewall restart" command.
+
+MUTEX_TIMEOUT=60
+
 #LAST LINE -- DO NOT REMOVE

Lrp/sbin/shorewall

@@ -432,6 +432,14 @@ usage() # $1 = exit status
     exit $1
 }
 
+#################################################################################
+# Display the time that the counters were last reset                            #
+#################################################################################
+show_reset() {
+    [ -f /var/lib/shorewall/restarted ] && \
+	echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n"
+}
+
 #################################################################################
 # Execution begins here								#
 #################################################################################
@@ -533,10 +541,12 @@ case "$1" in
 	    ;;
 	nat)
 	    echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n"
+	    show_reset
 	    iptables -t nat -L -n -v
 	    ;;
 	tos|mangle)
 	    echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n"
+	    show_reset
 	    iptables -t mangle -L -n -v
 	    ;;
 	log)
@@ -551,6 +561,7 @@ case "$1" in
 	    ;;
 	*)
 	    echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n"
+	    show_reset
 	    iptables -L $2 -n -v
 	    ;;
 	esac
@@ -569,6 +580,7 @@ case "$1" in
 	get_config
 	clear
 	echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n"
+	show_reset
 	host=`echo $HOSTNAME | sed 's/\..*$//'`
 	iptables -L -n -v
 	echo

Lrp/var/lib/shorewall/functions

@@ -1,5 +1,5 @@
 #
-# Shorewall 1.3 -- /etc/shorewall/functions
+# Shorewall 1.3 -- /var/lib/shorewall/functions
 
 #
 # Suppress all output for a command
@@ -92,6 +92,8 @@ determine_zones()
 ###############################################################################
 get_statedir()
 {
+    MUTEX_TIMEOUT=
+
     local config=`find_file shorewall.conf`
 
     if [ -f $config ]; then
@@ -116,15 +118,19 @@ get_statedir()
 mutex_on()
 {
     local try=0
-    local max=15
-    local int=2
+    local max=
+    local int=1
 
     local lockf=$STATEDIR/lock
 
+    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
+
+    max=${MUTEX_TIMEOUT}
+
     [ -d $STATEDIR ] || mkdir -p $STATEDIR
 
     if qt which lockfile; then
-	lockfile -030 -r1 ${lockf} || exit 2
+	lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
     else
 	while [ -f ${lockf} -a ${try} -lt ${max} ] ; do
 	    sleep ${int}
@@ -136,7 +142,6 @@ mutex_on()
 	    echo $$ > ${lockf}
 	else
 	    echo "Giving up on lock file ${lockf}" >&2
-	    exit 2
 	fi
     fi
 }

Lrp/var/lib/shorewall/version

@@ -1 +1 @@
-1.3.4
+1.3.5