Slightly less horrible Hack to make the Tunnels file still work with the sectioned Rules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2569 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -15,6 +15,8 @@ Changes in 2.5.3
 
 7) Section the rules file.
 
+8) Fixed tunnels/rules interaction problems.
+
 Changes in 2.5.2
 
 1) Allow port lists in /etc/sorewall/accounting.

Shorewall/firewall

@@ -2192,7 +2192,7 @@ setup_tunnels() # $1 = name of tunnels file
 {
     local inchain
     local outchain
-    local options="-m state --state NEW,INVALID -j ACCEPT"
+
 
     setup_one_ipsec() # $1 = gateway $2 = Tunnel Kind $3 = gateway zones
     {
@@ -2208,16 +2208,16 @@ setup_tunnels() # $1 = name of tunnels file
 
 	[ $kind = IPSEC ] && kind=ipsec
 
-
-	addrule2 $inchain	  -p 50	 $(source_ip_range $1) $options
-	addrule2 $outchain	  -p 50	 $(dest_ip_range $1)   $options
+	options="-m state --state NEW -j ACCEPT"
+	addrule2 $inchain	  -p 50	 $(source_ip_range $1) -j ACCEPT
+	addrule2 $outchain	  -p 50	 $(dest_ip_range $1)   -j ACCEPT
 
 	if [ -z "$noah" ]; then
-	    run_iptables -A $inchain  -p 51 $(source_ip_range $1) $options
-	    run_iptables -A $outchain -p 51 $(dest_ip_range $1)   $options
+	    run_iptables -A $inchain  -p 51 $(source_ip_range $1) -j ACCEPT
+	    run_iptables -A $outchain -p 51 $(dest_ip_range $1)   -j ACCEPT
 	fi
 
-	run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options 
+	run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
 
 	if [ $kind = ipsec ]; then
 	    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
@@ -2245,26 +2245,26 @@ setup_tunnels() # $1 = name of tunnels file
 
     setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
     {
-	addrule2 $inchain  -p $3 $(source_ip_range $2) $options
-	addrule2 $outchain -p $3 $(dest_ip_range $2)   $options
+	addrule2 $inchain  -p $3 $(source_ip_range $2) -j ACCEPT
+	addrule2 $outchain -p $3 $(dest_ip_range $2) -j ACCEPT
 
 	progress_message "   $1 tunnel to $2 defined."
     }
 
     setup_pptp_client() # $1 = gateway
     {
-	addrule2 $outchain -p 47               $(dest_ip_range $1)   $options
-	addrule2 $inchain  -p 47               $(source_ip_range $1) $options
-	addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1)   $options
+	addrule2 $outchain -p 47               $(dest_ip_range $1)   -j ACCEPT
+	addrule2 $inchain  -p 47               $(source_ip_range $1) -j ACCEPT
+	addrule2 $outchain -p tcp --dport 1723 $(dest_ip_range $1)   -j ACCEPT
 
 	progress_message "   PPTP tunnel to $1 defined."
     }
 
     setup_pptp_server() # $1 = gateway
     {
-	addrule2 $inchain  -p 47               $(source_ip_range $1) $options
-	addrule2 $outchain -p 47               $(dest_ip_range $1)   $options
-	addrule2 $inchain  -p tcp --dport 1723 $(source_ip_range $1) $options
+	addrule2 $inchain  -p 47               $(source_ip_range $1) -j ACCEPT
+	addrule2 $outchain -p 47               $(dest_ip_range $1)   -j ACCEPT
+	addrule2 $inchain  -p tcp --dport 1723 $(source_ip_range $1) -j ACCEPT
 
 	progress_message "   PPTP server defined."
     }
@@ -2285,8 +2285,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
 
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p $options
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport $p -j ACCEPT
 
 	progress_message "   OPENVPN tunnel to $1:$protocol:$p defined."
     }
@@ -2307,8 +2307,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
 
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p $options
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --sport $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dport $p -j ACCEPT
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --sport $p -j ACCEPT
 
 	progress_message "   OPENVPN server tunnel from $1:$protocol:$p defined."
     }
@@ -2329,8 +2329,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
 
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dsport $p $options
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport  $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) --dsport $p -j ACCEPT
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   --dport  $p -j ACCEPT
 
 	progress_message "   OPENVPN client tunnel to $1:$protocol:$p defined."
     }
@@ -2357,15 +2357,15 @@ setup_tunnels() # $1 = name of tunnels file
 
 	p=${p:+--dport $p}
 
-	addrule2 $inchain  -p $protocol $(source_ip_range $1) $p $options
-	addrule2 $outchain -p $protocol $(dest_ip_range $1)   $p $options
+	addrule2 $inchain  -p $protocol $(source_ip_range $1) $p -j ACCEPT
+	addrule2 $outchain -p $protocol $(dest_ip_range $1)   $p -j ACCEPT
 
 	for z in $(separate_list $3); do
 	    if validate_zone $z; then
-		addrule ${FW}2${z} -p $protocol $p $options
-		addrule ${z}2${FW} -p $protocol $p $options
+		addrule ${FW}2${z} -p $protocol $p -j ACCEPT
+		addrule ${z}2${FW} -p $protocol $p -j ACCEPT
 	    else
-		error_message "WARNING: Invalid gateway zone ($z)" \
+		error_message "Warning: Invalid gateway zone ($z)" \
 		" -- Tunnel \"$tunnel\" may encounter problems"
 	    fi
 	done
@@ -8249,16 +8249,17 @@ define_firewall() # $1 = Command (Start or Restart)
 
     setup_syn_flood_chains
 
-    tunnels=$(find_file tunnels)
-    [ -f $tunnels ] && \
-	echo "Processing $tunnels..." &&       setup_tunnels $tunnels
-
     setup_ipsec
 
     maclist_hosts=$(find_hosts_by_option maclist)
     [ -n "$maclist_hosts" ] &&                 setup_mac_lists
 
     echo "Processing $(find_file rules)...";   process_rules
+
+    tunnels=$(find_file tunnels)
+    [ -f $tunnels ] && \
+	echo "Processing $tunnels..." &&       setup_tunnels $tunnels
+
     echo "Processing Actions...";              process_actions2
                                                process_actions3
     echo "Processing $(find_file policy)...";  apply_policy_rules

Shorewall/releasenotes.txt

@@ -255,6 +255,16 @@ Migration Considerations:
 8) The "shorewall forget" command now removes the dynamic blacklist
    save file (/var/lib/shorewall/save).
 
+9) In previous versions of Shorewall, the rules generated by entries in
+   /etc/shorewall/tunnels preceded those rules generated by entries in
+   /etc/shorewall/rules. Beginning with this release, the entries
+   generated by entries in the tunnels file will appear *AFTER* the
+   rules generated by the rules file. This may cause you problems if
+   you have REJECT, DENY or CONTINUE rules in your rules file that
+   would cause the tunnel transport packets to not reach the rules that
+   ACCEPT them. See http://www.shorewall.net/VPNBasics.html for
+   information on the rules generated by entries in the tunnels file.
+
 New Features in Shorewall 2.5.*
 
 1) Error and warning messages are made easier to spot by using