From ccf517307e27266ade79407f7d70589b43e533b8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 7 Aug 2012 14:51:58 -0700 Subject: [PATCH 01/14] Handle raw table zones from VSERVERS Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 54ba5adfa..16f2d796f 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1342,6 +1342,7 @@ sub generate_source_rules( $$$;@ ) { sub handle_loopback_traffic() { my @zones = ( vserver_zones, firewall_zone ); my $natout = $nat_table->{OUTPUT}; + my $rawout = $raw_table->{OUTPUT}; my $rulenum = 0; my $outchainref; @@ -1365,6 +1366,7 @@ sub handle_loopback_traffic() { my $z1ref = find_zone( $z1 ); my $type1 = $z1ref->{type}; my $natref = $nat_table->{dnat_chain $z1}; + my $notrackref = $raw_table->{notrack_chain( $z1 )}; # # Add jumps in the 'output' chain to the rules chains # @@ -1374,10 +1376,32 @@ sub handle_loopback_traffic() { generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain; } + # + # Handle conntrack + # + if ( $notrackref ) { + add_ijump $rawout, j => $notrackref if $notrackref->{referenced}; + } } else { for my $z2 ( @zones ) { generate_source_rules( $outchainref, $z1, $z2, @rule ); } + # + # Handle conntrack rules + # + if ( $notrackref->{referenced} ) { + for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) { + my $exclusion = source_exclusion( $hostref->{exclusions}, $notrackref); + my @ipsec_match = match_ipsec_in $z1 , $hostref; + + for my $net ( @{$hostref->{hosts}} ) { + add_ijump( $rawout, + j => $exclusion , + imatch_source_net $net, + @ipsec_match ); + } + } + } } if ( $natref && $natref->{referenced} ) { @@ -1995,12 +2019,6 @@ sub generate_matrix() { } } # - # NOTRACK from firewall - # - if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) { - add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced}; - } - # # Main source-zone matrix-generation loop # progress_message ' Entering main matrix-generation loop...'; From ee28638604be277b9ef98ecd45d2f1308d399043 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 8 Aug 2012 07:23:20 -0700 Subject: [PATCH 02/14] Add HELPERS to rules file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 9 ++-- Shorewall/Perl/Shorewall/Config.pm | 1 - Shorewall/Perl/Shorewall/Misc.pm | 6 +-- Shorewall/Perl/Shorewall/Raw.pm | 16 ++++--- Shorewall/Perl/Shorewall/Rules.pm | 62 +++++++++++++++++++++------- Shorewall/Perl/Shorewall/Tunnels.pm | 2 +- Shorewall/Perl/Shorewall/Zones.pm | 5 +++ 7 files changed, 68 insertions(+), 33 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 9e6b01f98..7e221b48c 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -666,11 +666,6 @@ sub compiler { # (Produces no output to the compiled script) # process_policies; - # - # N O T R A C K - # (Produces no output to the compiled script) - # - setup_notrack; enable_script; @@ -799,6 +794,10 @@ sub compiler { # process_rules( $convert ); # + # Process the conntrack file + # + setup_conntrack; + # # Add Tunnel rules. # setup_tunnels; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 232e716ab..d55a191c9 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -606,7 +606,6 @@ sub initialize( $;$ ) { EXPORT => 0, KLUDGEFREE => '', STATEMATCH => '-m state --state', - UNTRACKED => 0, VERSION => "4.5.6", CAPVERSION => 40507 , ); diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 16f2d796f..b31c8cdb5 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -681,7 +681,7 @@ sub add_common_rules ( $ ) { my $chain; my $dynamicref; - my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); + my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED'; my $level = $config{BLACKLIST_LOGLEVEL}; my $rejectref = $filter_table->{reject}; @@ -882,7 +882,7 @@ sub add_common_rules ( $ ) { add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST ); } - my @state = $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID'; + my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID'; for my $hostref ( @$list ) { $interface = $hostref->[0]; @@ -1187,7 +1187,7 @@ sub setup_mac_lists( $ ) { my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my @source = imatch_source_net $hostref->[2]; - my @state = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; + my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; if ( $table eq 'filter' ) { my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} ); diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 9bd9b4001..cc3b78cba 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal); use strict; our @ISA = qw(Exporter); -our @EXPORT = qw( setup_notrack ); -our @EXPORT_OK = qw( ); +our @EXPORT = qw( setup_conntrack ); +our @EXPORT_OK = qw( process_conntrack_rule ); our $VERSION = 'MODULEVERSION'; my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 ); @@ -41,7 +41,7 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured # # Notrack # -sub process_notrack_rule( $$$$$$$ ) { +sub process_conntrack_rule( $$$$$$$ ) { my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_; @@ -122,9 +122,7 @@ sub process_notrack_rule( $$$$$$$ ) { $target , $exception_rule ); - progress_message " Notrack rule \"$currentline\" $done"; - - $globals{UNTRACKED} = 1; + progress_message " Conntrack rule \"$currentline\" $done"; } sub process_format( $ ) { @@ -135,7 +133,7 @@ sub process_format( $ ) { $format; } -sub setup_notrack() { +sub setup_conntrack() { my $format = 1; my $action = 'NOTRACK'; @@ -188,10 +186,10 @@ sub setup_notrack() { if ( $source eq 'all' ) { for my $zone (all_zones) { - process_notrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user ); + process_conntrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user ); } } else { - process_notrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user ); + process_conntrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user ); } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b868ebd36..bd8136678 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -34,6 +34,7 @@ use Shorewall::Zones; use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Nat qw(:rules); +use Shorewall::Raw qw( process_conntrack_rule ); use Scalar::Util 'reftype'; use strict; @@ -91,7 +92,9 @@ my %rulecolumns = ( action => 0, connlimit => 10, time => 11, headers => 12, - switch => 13 ); + switch => 13, + helper => 14, + ); use constant { MAX_MACRO_NEST_LEVEL => 5 }; @@ -118,6 +121,10 @@ my %auditpolicies = ( ACCEPT => 1, REJECT => 1 ); # +# Source zone of the rule being processed +# +my $rulezone; +# # Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # @@ -1424,7 +1431,7 @@ sub process_actions() { } -sub process_rule1 ( $$$$$$$$$$$$$$$$$ ); +sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ); # # Populate an action invocation chain. As new action tuples are encountered, @@ -1457,14 +1464,14 @@ sub process_action( $) { while ( read_a_line( NORMAL_READ ) ) { - my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition ); + my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper ); if ( $format == 1 ) { ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands; $origdest = $connlimit = $time = $headers = $condition = '-'; } else { - ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition ) + ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper ) = split_line1 'action file', \%rulecolumns, $action_commands; } @@ -1502,6 +1509,7 @@ sub process_action( $) { $time, $headers, $condition, + $helper, 0 ); } @@ -1531,8 +1539,8 @@ sub use_policy_action( $ ) { # # Expand a macro rule from the rules file # -sub process_macro ( $$$$$$$$$$$$$$$$$$ ) { - my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_; +sub process_macro ( $$$$$$$$$$$$$$$$$$$) { + my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; my $nocomment = no_comment; @@ -1550,13 +1558,13 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) { while ( read_a_line( NORMAL_READ ) ) { - my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ); + my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper); if ( $format == 1 ) { ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands; - ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/; + ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/; } else { - ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands; + ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands; } fatal_error 'TARGET must be specified' if $mtarget eq '-'; @@ -1635,6 +1643,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) { merge_macro_column( $mtime, $time ), merge_macro_column( $mheaders, $headers ), merge_macro_column( $mcondition, $condition ), + merge_macro_column( $mhelper, $helper ), $wildcard ); @@ -1667,7 +1676,7 @@ sub verify_audit($;$$) { # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. # -sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) { +sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise $target, $current_param, @@ -1684,6 +1693,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) { $time, $headers, $condition, + $helper, $wildcard ) = @_; my ( $action, $loglevel) = split_action $target; @@ -1735,6 +1745,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) { $time, $headers, $condition, + $helper, $wildcard ); $macro_nest_level--; @@ -1884,6 +1895,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) { fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone; + + $rulezone = $sourcezone; } if ( $actiontype & NATONLY ) { @@ -2049,8 +2062,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) { $rule, $source, ( $actiontype & ACTION ) ? '' : $loglevel, - $log_action - ); + $log_action, + ); + + unless ( $helper eq '-' ) { + process_conntrack_rule( "CT:helper:$helper" , + "$rulezone:$source", + $origdest, + $proto, + $ports, + $sports, + $user ); + } # # After NAT: # - the destination port will be the server port ($ports) -- we did that above @@ -2121,6 +2144,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) { $loglevel , $log_action , '' ); + + if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) { + process_conntrack_rule( "CT:helper:$helper" , + "$rulezone:$source", + $origdest ? $origdest : $dest, + $proto, + $ports, + $sports, + $user ); + } } return 1; @@ -2224,7 +2257,7 @@ sub build_zone_list( $$$\$\$ ) { # Process a Record in the rules file # sub process_rule ( ) { - my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition ) + my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper ) = split_line1 'rules file', \%rulecolumns, $rule_commands; fatal_error 'ACTION must be specified' if $target eq '-'; @@ -2281,6 +2314,7 @@ sub process_rule ( ) { $time, $headers, $condition, + $helper, $wild ); } } @@ -2305,7 +2339,7 @@ sub classic_blacklist() { my $fw = firewall_zone; my @zones = off_firewall_zones; my @vservers = vserver_zones; - my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); + my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); my $result; for my $zone ( @zones ) { diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm index 7fe7e3b72..7b27f8e59 100644 --- a/Shorewall/Perl/Shorewall/Tunnels.pm +++ b/Shorewall/Perl/Shorewall/Tunnels.pm @@ -61,7 +61,7 @@ sub setup_tunnels() { } } - my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; + my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; add_tunnel_rule $inchainref, p => 50, @$source; add_tunnel_rule $outchainref, p => 50, @$dest; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index a3b0b243b..87c667710 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -57,6 +57,7 @@ our @EXPORT = qw( NOTHING all_parent_zones complex_zones vserver_zones + on_firewall_zones off_firewall_zones non_firewall_zones single_interface @@ -838,6 +839,10 @@ sub all_zones() { @zones; } +sub on_firewall_zones() { + grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones ); +} + sub off_firewall_zones() { grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) ) , @zones ); } From e8a4728981ff2db0c9ab9d428cef9b6e6f2305fa Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 8 Aug 2012 07:23:43 -0700 Subject: [PATCH 03/14] Allow '?IF 0' Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index d55a191c9..980722a93 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1911,7 +1911,7 @@ sub process_conditional( $$$$ ) { my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 ); if ( $keyword =~ /^IF/ ) { - cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression; + cond_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression; my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber ); push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ]; $omitting = $nextomitting; From 8f71797a485cfdc0092baa39c5508f7c05e92a7c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 8 Aug 2012 10:51:06 -0700 Subject: [PATCH 04/14] Update upgrade doc to mention both SHA and SHA1 Signed-off-by: Tom Eastep --- docs/upgrade_issues.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 4216dc37d..654185c52 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -94,11 +94,11 @@ - This version of Shorewall requires the Digest::SHA1 Perl - module. + This version of Shorewall requires the Digest::SHA1 or the + Digest:SHA Perl module. - Debian: libdigest-sha1-perl + Debian: libdigest-sha-perl Fedora: perl-Digest-SHA1 From 2690243e3ce3ef57a02923b64122b222bce46de2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 9 Aug 2012 07:36:04 -0700 Subject: [PATCH 05/14] Add helpers in the macros Signed-off-by: Tom Eastep --- Shorewall/Macros/macro.Amanda | 8 +++++++- Shorewall/Macros/macro.FTP | 7 ++++++- Shorewall/Macros/macro.IRC | 7 ++++++- Shorewall/Macros/macro.PPtP | 7 ++++++- Shorewall/Macros/macro.SANE | 8 +++++++- Shorewall/Macros/macro.SIP | 16 ++++++++++++++++ Shorewall/Macros/macro.SMB | 9 ++++++++- Shorewall/Macros/macro.SMBBI | 18 ++++++++++++++++-- Shorewall/Macros/macro.SNMP | 9 ++++++++- Shorewall/Macros/macro.TFTP | 7 ++++++- 10 files changed, 86 insertions(+), 10 deletions(-) create mode 100644 Shorewall/Macros/macro.SIP diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda index 32450d194..974f20560 100644 --- a/Shorewall/Macros/macro.Amanda +++ b/Shorewall/Macros/macro.Amanda @@ -10,7 +10,13 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 10080 + +?IF ( __CT_TARGET && $HELPERS && __AMANDA_HELPER ) + PARAM - - udp 10080 ; helper=amanda +?ELSE + PARAM - - udp 10080 +?ENDIF + PARAM - - tcp 10080 # # You may also need this rule. With AMANDA 2.4.4 on Linux kernel 2.6, diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP index 431407ddc..378c1357e 100644 --- a/Shorewall/Macros/macro.FTP +++ b/Shorewall/Macros/macro.FTP @@ -8,4 +8,9 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 21 + +?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER ) + PARAM - - tcp 21 ; helper=ftp +?ELSE + PARAM - - tcp 21 +?ENDIF diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC index a2576058d..f45a7cf9a 100644 --- a/Shorewall/Macros/macro.IRC +++ b/Shorewall/Macros/macro.IRC @@ -8,4 +8,9 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 6667 + +?IF ( __CT_TARGET && $HELPERS && __IRC_HELPER ) + PARAM - - tcp 6667 ; helper=irc +?ELSE + PARAM - - tcp 6667 +?ENDIF diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP index aa9f4b73c..670f28979 100644 --- a/Shorewall/Macros/macro.PPtP +++ b/Shorewall/Macros/macro.PPtP @@ -10,4 +10,9 @@ # PORT(S) PORT(S) LIMIT GROUP PARAM - - 47 PARAM DEST SOURCE 47 -PARAM - - tcp 1723 + +?IF ( __CT_TARGET && $HELPERS && __PPTP_HELPER ) + PARAM - - tcp 1723 ; helper=pptp +?ELSE + PARAM - - tcp 1723 +?ENDIF diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE index 5fa2f198f..3a6241dec 100644 --- a/Shorewall/Macros/macro.SANE +++ b/Shorewall/Macros/macro.SANE @@ -8,7 +8,13 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -PARAM - - tcp 6566 + +?IF ( __CT_TARGET && $HELPERS && __SANE_HELPER ) + PARAM - - tcp 6566 ; helper=sane +?ELSE + PARAM - - tcp 6566 +?ENDIF + # # Kernels 2.6.23+ has nf_conntrack_sane module which will handle # sane data connection. diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP new file mode 100644 index 000000000..8e0524940 --- /dev/null +++ b/Shorewall/Macros/macro.SIP @@ -0,0 +1,16 @@ +# +# Shorewall version 4 - SIP Macro +# +# /usr/share/shorewall/macro.SIP +# +# This macro handles SIP traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP + +?IF ( __CT_TARGET && $HELPERS && __SIP_HELPER ) + PARAM - - udp 5060 ; helper=sip +?ELSE + PARAM - - udp 5060 +?ENDIF diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB index 56bb8222a..28d59b23e 100644 --- a/Shorewall/Macros/macro.SMB +++ b/Shorewall/Macros/macro.SMB @@ -13,6 +13,13 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 135,445 -PARAM - - udp 137:139 + +?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER ) + PARAM - - udp 137 ; helper=netbios-ns + PARAM - - udp 138:139 +?ELSE + PARAM - - udp 137:139 +?ENDIF + PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445 diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI index 99351e6a8..3a0125b7c 100644 --- a/Shorewall/Macros/macro.SMBBI +++ b/Shorewall/Macros/macro.SMBBI @@ -13,10 +13,24 @@ #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 135,445 -PARAM - - udp 137:139 + +?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER ) + PARAM - - udp 137 ; helper=netbios-ns + PARAM - - udp 138:139 +?ELSE + PARAM - - udp 137:139 +?ENDIF + PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445 PARAM DEST SOURCE udp 135,445 -PARAM DEST SOURCE udp 137:139 + +?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER ) + PARAM DEST SOURCE udp 137 ; helper=netbios-ns + PARAM DEST SOURCE udp 138:139 +?ELSE + PARAM DEST SOURCE udp 137:139 +?ENDIF + PARAM DEST SOURCE udp 1024: 137 PARAM DEST SOURCE tcp 135,139,445 diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP index 221a22921..4a14c31bc 100644 --- a/Shorewall/Macros/macro.SNMP +++ b/Shorewall/Macros/macro.SNMP @@ -8,5 +8,12 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 161:162 + +?IF ( __CT_TARGET && $HELPERS && __SNMP_HELPER ) + PARAM - - udp 161 ; helper=snmp + PARAM - - udp 162 +?ELSE + PARAM - - udp 161:162 +?ENDIF + PARAM - - tcp 161 diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP index 0e630428b..3db988a18 100644 --- a/Shorewall/Macros/macro.TFTP +++ b/Shorewall/Macros/macro.TFTP @@ -10,4 +10,9 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -PARAM - - udp 69 + +?IF ( __CT_TARGET && $HELPERS && __TFTP_HELPER ) + PARAM - - udp 69 ; helper=tftp +?ELSE + PARAM - - udp 69 +?ENDIF From 2ab50e65d7daec3a4765c30810daefcdc9dc8ea2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 9 Aug 2012 10:30:02 -0700 Subject: [PATCH 06/14] Make conditional directives case insensitive Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 980722a93..b0103c3b8 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1897,9 +1897,9 @@ sub process_conditional( $$$$ ) { print "CD===> $line\n" if $debug; - cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/; + cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/i; - my ($keyword, $expression) = ( $1, $2 ); + my ($keyword, $expression) = ( uc $1, $2 ); if ( supplied $expression ) { $expression =~ s/#.*//; @@ -2507,7 +2507,7 @@ sub read_a_line($) { # # Handle conditionals # - if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/ ) { + if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/i ) { $omitting = process_conditional( $omitting, $_, $currentfilename, $. ); next; } From e84ee76c7dffe3394e84aa8f6be4acd188a3168f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 9 Aug 2012 10:32:34 -0700 Subject: [PATCH 07/14] Add helpers to macros Signed-off-by: Tom Eastep --- Shorewall/Macros/macro.Amanda | 1 + Shorewall/Macros/macro.FTP | 2 +- Shorewall/Macros/macro.IRC | 1 + Shorewall/Macros/macro.PPtP | 1 + Shorewall/Macros/macro.SANE | 1 + Shorewall/Macros/macro.SIP | 1 + Shorewall/Macros/macro.SMB | 1 + Shorewall/Macros/macro.SMBBI | 1 + Shorewall/Macros/macro.SNMP | 1 + Shorewall/Macros/macro.TFTP | 1 + 10 files changed, 10 insertions(+), 1 deletion(-) diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda index 974f20560..7d9197813 100644 --- a/Shorewall/Macros/macro.Amanda +++ b/Shorewall/Macros/macro.Amanda @@ -8,6 +8,7 @@ # files from those nodes. # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP index 378c1357e..40ac654d5 100644 --- a/Shorewall/Macros/macro.FTP +++ b/Shorewall/Macros/macro.FTP @@ -6,9 +6,9 @@ # This macro handles FTP traffic. # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP - ?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER ) PARAM - - tcp 21 ; helper=ftp ?ELSE diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC index f45a7cf9a..07cd26dec 100644 --- a/Shorewall/Macros/macro.IRC +++ b/Shorewall/Macros/macro.IRC @@ -6,6 +6,7 @@ # This macro handles IRC traffic (Internet Relay Chat). # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP index 670f28979..330f2e128 100644 --- a/Shorewall/Macros/macro.PPtP +++ b/Shorewall/Macros/macro.PPtP @@ -6,6 +6,7 @@ # This macro handles PPTP traffic. # ############################################################################### +?FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - 47 diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE index 3a6241dec..4013737f8 100644 --- a/Shorewall/Macros/macro.SANE +++ b/Shorewall/Macros/macro.SANE @@ -6,6 +6,7 @@ # This macro handles SANE network scanning. # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP index 8e0524940..318217df7 100644 --- a/Shorewall/Macros/macro.SIP +++ b/Shorewall/Macros/macro.SIP @@ -6,6 +6,7 @@ # This macro handles SIP traffic. # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB index 28d59b23e..12a954846 100644 --- a/Shorewall/Macros/macro.SMB +++ b/Shorewall/Macros/macro.SMB @@ -10,6 +10,7 @@ # between hosts you fully trust. # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 135,445 diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI index 3a0125b7c..09d833cf7 100644 --- a/Shorewall/Macros/macro.SMBBI +++ b/Shorewall/Macros/macro.SMBBI @@ -10,6 +10,7 @@ # allow SMB traffic between hosts you fully trust. # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 135,445 diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP index 4a14c31bc..d1e26b598 100644 --- a/Shorewall/Macros/macro.SNMP +++ b/Shorewall/Macros/macro.SNMP @@ -6,6 +6,7 @@ # This macro handles SNMP traffic (including traps). # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP index 3db988a18..bd303f322 100644 --- a/Shorewall/Macros/macro.TFTP +++ b/Shorewall/Macros/macro.TFTP @@ -8,6 +8,7 @@ # Internet. # ############################################################################### +FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP From ad818c071ac4958bc02e7ab5f73311631f152000 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 10 Aug 2012 06:55:18 -0700 Subject: [PATCH 08/14] Generate omnibus tracking rules when NAT/ACCEPT with helper appears in an action. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index bd8136678..3befde4a9 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -121,10 +121,6 @@ my %auditpolicies = ( ACCEPT => 1, REJECT => 1 ); # -# Source zone of the rule being processed -# -my $rulezone; -# # Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: # @@ -922,7 +918,7 @@ sub new_action( $$ ) { fatal_error "Invalid action name($action)" if reserved_name( $action ); - $actions{$action} = { actchain => '' }; + $actions{$action} = { actchain => '' }; $targets{$action} = $type; } @@ -1895,8 +1891,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone; - - $rulezone = $sourcezone; } if ( $actiontype & NATONLY ) { @@ -2066,6 +2060,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { ); unless ( $helper eq '-' ) { + my $rulezone = $inaction ? 'all' : $sourcezone; + process_conntrack_rule( "CT:helper:$helper" , "$rulezone:$source", $origdest, @@ -2092,6 +2088,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $loglevel = ''; $action = 'ACCEPT'; $origdest = ALLIP if $origdest =~ /[+]/; + $helper = '-'; } } elsif ( $actiontype & NONAT ) { # @@ -2145,7 +2142,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $log_action , '' ); - if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) { + if ( $action eq 'ACCEPT' && $helper ne '-' ) { + my $rulezone = $inaction ? 'all' : $sourcezone; process_conntrack_rule( "CT:helper:$helper" , "$rulezone:$source", $origdest ? $origdest : $dest, From 50dfffec946377f28abc3e78777bdedb0889588c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 10 Aug 2012 07:09:01 -0700 Subject: [PATCH 09/14] Eliminate duplicate rules in raw-table chains when optimize level 16. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 70 +++++++++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 7e1393a27..779254dd1 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3282,6 +3282,62 @@ sub combine_dports { \@rules; } +# +# Delete duplicate rules from the passed chain. +# +# The arguments are a reference to the chain followed by references to each +# of its rules. +# +sub delete_duplicates { + my @rules; + my $chainref = shift; + my $lastrule = @_; + my $baseref = pop; + my $ruleref; + my $duplicate = 0; + + while ( @_ && ! $duplicate ) { + { + my $ports1; + my @keys1 = sort( keys( %$baseref ) ); + my $rulenum = @_; + my $duplicate = 0; + + RULE: + + while ( --$rulenum >= 0 ) { + $ruleref = $_[$rulenum]; + + my @keys2 = sort(keys( %$ruleref ) ); + + next unless @keys1 == @keys2 ; + + my $keynum = 0; + + for my $key ( @keys1 ) { + next RULE unless $key eq $keys2[$keynum++]; + next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} ); + } + + $duplicate = 1; + } + + if ( $duplicate ) { + trace( $chainref, 'D', $lastrule, $baseref ) if $debug; + } else { + unshift @rules, $baseref; + } + + $baseref = pop @_; + $lastrule--; + } + } + + unshift @rules, $baseref if $baseref; + + \@rules; +} + sub optimize_level16( $$$ ) { my ( $table, $tableref , $passes ) = @_; my @chains = ( grep $_->{referenced}, values %{$tableref} ); @@ -3290,11 +3346,23 @@ sub optimize_level16( $$$ ) { progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16..."; + if ( $table eq 'raw' ) { + # + # Helpers in rules have the potential for generating lots of duplicate iptables rules + # in the raw table. This step eliminates those duplicates + # + for my $chainref ( @chains ) { + $chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} ); + } + + $passes++; + } + for my $chainref ( @chains ) { $chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} ); } - $passes++; + ++$passes; } # From b5af6f03fb06f72a71057a1b29bb2d70bbd8b31a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 11 Aug 2012 07:48:03 -0700 Subject: [PATCH 10/14] Create better rules when a HELPER appears in an action Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 + Shorewall/Perl/Shorewall/Raw.pm | 88 ++++++++++++++++++++++++++---- Shorewall/Perl/Shorewall/Rules.pm | 63 ++++++++++++--------- Shorewall/Perl/Shorewall/Zones.pm | 3 +- 4 files changed, 117 insertions(+), 39 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 779254dd1..3bbdb0e01 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -101,6 +101,7 @@ our %EXPORT_TAGS = ( CHAIN SET AUDIT + HELPER NO_RESTRICT PREROUTE_RESTRICT DESTIFACE_DISALLOW @@ -352,6 +353,7 @@ use constant { STANDARD => 1, #defined by Netfilter CHAIN => 1024, #Manual Chain SET => 2048, #SET AUDIT => 4096, #A_ACCEPT, etc + HELPER => 8192, #CT:helper }; # # Valid Targets -- value is a combination of one or more of the above diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index cc3b78cba..284163ede 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -33,7 +33,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_conntrack ); -our @EXPORT_OK = qw( process_conntrack_rule ); +our @EXPORT_OK = qw( handle_helper_rule ); our $VERSION = 'MODULEVERSION'; my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 ); @@ -41,21 +41,34 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured # # Notrack # -sub process_conntrack_rule( $$$$$$$ ) { +sub process_conntrack_rule( $$$$$$$$$ ) { - my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_; + my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_; + + require_capability 'RAW_TABLE', 'conntrack rules', ''; $proto = '' if $proto eq 'any'; $ports = '' if $ports eq 'any' || $ports eq 'all'; $sports = '' if $sports eq 'any' || $sports eq 'all'; - ( my $zone, $source) = split /:/, $source, 2; - my $zoneref = find_zone $zone; - my $chainref = ensure_raw_chain( notrack_chain $zone ); - my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT; + my $zone; + my $restriction = PREROUTE_RESTRICT; - fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT; - require_capability 'RAW_TABLE', 'conntrack rules', ''; + unless ( $chainref ) { + # + # Entry in the conntrack file + # + if ( $zoneref ) { + $zone = $zoneref->{name}; + } else { + ($zone, $source) = split /:/, $source, 2; + $zoneref = find_zone ( $zone ); + } + + $chainref = ensure_raw_chain( notrack_chain $zone ); + $restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER; + fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT; + } my $target = $action; my $exception_rule = ''; @@ -125,6 +138,59 @@ sub process_conntrack_rule( $$$$$$$ ) { progress_message " Conntrack rule \"$currentline\" $done"; } +sub handle_helper_rule( $$$$$$$$$$$ ) { + my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_; + + if ( $helper ne '-' ) { + fatal_error "A HELPER is not allowed with this ACTION" if $action_target; + # + # This means that an ACCEPT or NAT rule with a helper is being processed + # + process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef , + $sourceref , + "CT:helper:$helper", + $source , + $dest , + $proto , + $ports , + $sports , + $user ); + } else { + assert( $action_target ); + # + # The target is an action + # + if ( $actionchain ) { + # + # And the source is another action chain + # + expand_rule( ensure_raw_chain( $actionchain ) , + PREROUTE_RESTRICT , + $rule , + $source , + $dest , + '' , + $action_target , + '', + 'CT' , + '' ); + } else { + expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) , + ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ? + OUTPUT_RESTRICT : + PREROUTE_RESTRICT ) , + $rule , + $source , + $dest , + '' , + $action_target , + '' , + 'CT' , + '' ); + } + } +} + sub process_format( $ ) { my $format = shift; @@ -186,10 +252,10 @@ sub setup_conntrack() { if ( $source eq 'all' ) { for my $zone (all_zones) { - process_conntrack_rule( $action, $zone, $dest, $proto, $ports, $sports, $user ); + process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user ); } } else { - process_conntrack_rule( $action, $source, $dest, $proto, $ports, $sports, $user ); + process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user ); } } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 3befde4a9..462e4c50a 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -34,7 +34,7 @@ use Shorewall::Zones; use Shorewall::Chains qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Nat qw(:rules); -use Shorewall::Raw qw( process_conntrack_rule ); +use Shorewall::Raw qw( handle_helper_rule ); use Scalar::Util 'reftype'; use strict; @@ -1783,12 +1783,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { # process_action( $ref ); # - # Processing the action may determine that the action or one of it's dependents does NAT, so: + # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so: # # - Refresh $actiontype - # - Create the associate nat table chain if appropriate. + # - Create the associated nat and/or table chain if appropriate. # ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE; + ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER ); } $action = $basictarget; # Remove params, if any, from $action. @@ -1803,6 +1804,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $targets{$inaction} |= NATRULE if $inaction; fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW'; } + + if ( $actiontype & HELPER ) { + fatal_error "HELPER rules are only allowed in the NEW section" unless $section eq 'NEW'; + } # # Take care of irregular syntax and targets # @@ -1814,7 +1819,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $bt =~ s/[-+!]$//; my %functions = - ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } , + ( ACCEPT => sub() { + if ( $blacklist ) { + $action = 'RETURN'; + } elsif ( $helper ne '-' ) { + $actiontype |= HELPER; + } + } , REDIRECT => sub () { my $z = $actiontype & NATONLY ? '' : firewall_zone; @@ -1845,6 +1856,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { if ( $function ) { $function->(); + } elsif ( $actiontype & NATRULE && $helper ne '-' ) { + $actiontype |= HELPER; } elsif ( $actiontype & SET ) { my %xlate = ( ADD => 'add-set' , DEL => 'del-set' ); @@ -2034,8 +2047,26 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); $rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist; } - # + # Generate CT rules(s), if any + # + if ( $actiontype & HELPER ) { + handle_helper_rule( $helper, + $source, + $origdest ? $origdest : $dest, + $proto, + $ports, + $sports, + $sourceref, + ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '', + $inaction ? $chain : '' , + $user , + $rule , + ); + + $targets{$inaction} |= HELPER if $inaction; + } + # Generate NAT rule(s), if any # if ( $actiontype & NATRULE ) { @@ -2059,17 +2090,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $log_action, ); - unless ( $helper eq '-' ) { - my $rulezone = $inaction ? 'all' : $sourcezone; - - process_conntrack_rule( "CT:helper:$helper" , - "$rulezone:$source", - $origdest, - $proto, - $ports, - $sports, - $user ); - } # # After NAT: # - the destination port will be the server port ($ports) -- we did that above @@ -2141,17 +2161,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { $loglevel , $log_action , '' ); - - if ( $action eq 'ACCEPT' && $helper ne '-' ) { - my $rulezone = $inaction ? 'all' : $sourcezone; - process_conntrack_rule( "CT:helper:$helper" , - "$rulezone:$source", - $origdest ? $origdest : $dest, - $proto, - $ports, - $sports, - $user ); - } } return 1; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 87c667710..df9326c70 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -118,7 +118,8 @@ use constant { IN_OUT => 1, # # @zones contains the ordered list of zones with sub-zones appearing before their parents. # -# %zones{ => {type => FIREWALL, IP, IPSEC, BPORT; +# %zones{ => {name => , +# type => FIREWALL, IP, IPSEC, BPORT; # complex => 0|1 # super => 0|1 # options => { in_out => < policy match string > From a5824dc2d4335d73680fff144f4aaeb157401bce Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 11 Aug 2012 08:47:10 -0700 Subject: [PATCH 11/14] Optimize extension - Eliminate short chains with a single reference. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 53 +++++++++++++++++++++++++++--- 1 file changed, 49 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 3bbdb0e01..514e60ac2 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2981,6 +2981,51 @@ sub optimize_level4( $$ ) { } } + # + # Identify short chains with a single reference and replace the reference with the chain rules + # + my @chains = grep ( $_->{referenced} && + ! $_->{optflags} && + @{$_->{rules}} < 4 && + keys %{$_->{references}} == 1 , values %$tableref ); + + if ( my $chains = @chains ) { + $passes++; + + progress_message "\n Table $table pass $passes, $chains short chains, level 4b..."; + + for my $chainref ( @chains ) { + my $name = $chainref->{name}; + for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) { + my $name1 = $sourceref->{name}; + + if ( $chainref->{references}{$name1} == 1 ) { + my $rulenum = 0; + my $rulesref = $sourceref->{rules}; + my $rules = @{$chainref->{rules}}; + + for ( @$rulesref ) { + if ( $_->{simple} && ( $_->{target} || '' ) eq $name ) { + trace( $sourceref, 'D', $rulenum + 1, $_ ) if $debug; + splice @$rulesref, $rulenum, 1, @{$chainref->{rules}}; + if ( $debug ) { + while ( my $ruleref = shift @{$chainref->{rules}} ) { + trace ( $sourceref, 'I', $rulenum++, $ruleref ); + } + } + + delete $chainref->{references}{$name1}; + delete_chain $chainref; + last; + } + $rulenum++; + + } + } + } + } + } + $passes; } @@ -3553,7 +3598,7 @@ sub source_exclusion( $$ ) { my $table = reftype $target ? $target->{table} : 'filter'; - my $chainref = new_chain( $table , newexclusionchain( $table ) ); + my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) ); add_ijump( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions; add_ijump( $chainref, g => $target ); @@ -3575,7 +3620,7 @@ sub source_iexclusion( $$$$$;@ ) { $source = $1; @exclusion = mysplit( $2 ); - my $chainref1 = new_chain( $table , newexclusionchain( $table ) ); + my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) ); add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion; @@ -3604,7 +3649,7 @@ sub dest_exclusion( $$ ) { my $table = reftype $target ? $target->{table} : 'filter'; - my $chainref = new_chain( $table , newexclusionchain( $table ) ); + my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) ); add_ijump( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions; add_ijump( $chainref, g => $target ); @@ -3626,7 +3671,7 @@ sub dest_iexclusion( $$$$$;@ ) { $dest = $1; @exclusion = mysplit( $2 ); - my $chainref1 = new_chain( $table , newexclusionchain( $table ) ); + my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) ); add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion; From 50bd1d63983a8d462b59029ec449b14e66d625cb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Aug 2012 07:25:11 -0700 Subject: [PATCH 12/14] Add AUTOHELPER option Signed-off-by: Tom Eastep --- Shorewall/Macros/macro.Amanda | 6 +- Shorewall/Macros/macro.BLACKLIST | 6 +- Shorewall/Macros/macro.FTP | 6 +- Shorewall/Macros/macro.IRC | 6 +- Shorewall/Macros/macro.PPtP | 6 +- Shorewall/Macros/macro.SANE | 6 +- Shorewall/Macros/macro.SIP | 6 +- Shorewall/Macros/macro.SMB | 6 +- Shorewall/Macros/macro.SMBBI | 12 ++-- Shorewall/Macros/macro.SNMP | 6 +- Shorewall/Macros/macro.TFTP | 6 +- Shorewall/Perl/Shorewall/Config.pm | 2 + Shorewall/Samples/Universal/shorewall.conf | 2 + .../Samples/one-interface/shorewall.conf | 2 + .../Samples/three-interfaces/shorewall.conf | 2 + .../Samples/two-interfaces/shorewall.conf | 2 + Shorewall/configfiles/conntrack | 2 +- Shorewall/configfiles/shorewall.conf | 2 + Shorewall/manpages/shorewall.conf.xml | 65 +++++++++++++++---- Shorewall6/Samples6/Universal/shorewall6.conf | 2 + .../Samples6/one-interface/shorewall6.conf | 2 + .../Samples6/three-interfaces/shorewall6.conf | 2 + .../Samples6/two-interfaces/shorewall6.conf | 2 + Shorewall6/configfiles/shorewall6.conf | 2 + Shorewall6/manpages/shorewall6.conf.xml | 61 ++++++++++++++--- 25 files changed, 165 insertions(+), 57 deletions(-) diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda index 7d9197813..bf45c2d69 100644 --- a/Shorewall/Macros/macro.Amanda +++ b/Shorewall/Macros/macro.Amanda @@ -12,11 +12,11 @@ FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF ( __CT_TARGET && $HELPERS && __AMANDA_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER ) PARAM - - udp 10080 ; helper=amanda -?ELSE +?else PARAM - - udp 10080 -?ENDIF +?endif PARAM - - tcp 10080 # diff --git a/Shorewall/Macros/macro.BLACKLIST b/Shorewall/Macros/macro.BLACKLIST index c51675fb1..cebff9453 100644 --- a/Shorewall/Macros/macro.BLACKLIST +++ b/Shorewall/Macros/macro.BLACKLIST @@ -8,8 +8,8 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF $BLACKLIST_LOGLEVEL +?if $BLACKLIST_LOGLEVEL blacklog -?ELSE +?else $BLACKLIST_DISPOSITION -?ENDIF +?endif diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP index 40ac654d5..038857a53 100644 --- a/Shorewall/Macros/macro.FTP +++ b/Shorewall/Macros/macro.FTP @@ -9,8 +9,8 @@ FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF ( __CT_TARGET && $HELPERS && __FTP_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER ) PARAM - - tcp 21 ; helper=ftp -?ELSE +?else PARAM - - tcp 21 -?ENDIF +?endif diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC index 07cd26dec..020bee064 100644 --- a/Shorewall/Macros/macro.IRC +++ b/Shorewall/Macros/macro.IRC @@ -10,8 +10,8 @@ FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF ( __CT_TARGET && $HELPERS && __IRC_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER ) PARAM - - tcp 6667 ; helper=irc -?ELSE +?else PARAM - - tcp 6667 -?ENDIF +?endif diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP index 330f2e128..b4ba427e8 100644 --- a/Shorewall/Macros/macro.PPtP +++ b/Shorewall/Macros/macro.PPtP @@ -12,8 +12,8 @@ PARAM - - 47 PARAM DEST SOURCE 47 -?IF ( __CT_TARGET && $HELPERS && __PPTP_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER ) PARAM - - tcp 1723 ; helper=pptp -?ELSE +?else PARAM - - tcp 1723 -?ENDIF +?endif diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE index 4013737f8..40721e64d 100644 --- a/Shorewall/Macros/macro.SANE +++ b/Shorewall/Macros/macro.SANE @@ -10,11 +10,11 @@ FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF ( __CT_TARGET && $HELPERS && __SANE_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER ) PARAM - - tcp 6566 ; helper=sane -?ELSE +?else PARAM - - tcp 6566 -?ENDIF +?endif # # Kernels 2.6.23+ has nf_conntrack_sane module which will handle diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP index 318217df7..015d8b688 100644 --- a/Shorewall/Macros/macro.SIP +++ b/Shorewall/Macros/macro.SIP @@ -10,8 +10,8 @@ FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF ( __CT_TARGET && $HELPERS && __SIP_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER ) PARAM - - udp 5060 ; helper=sip -?ELSE +?else PARAM - - udp 5060 -?ENDIF +?endif diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB index 12a954846..20208fdf3 100644 --- a/Shorewall/Macros/macro.SMB +++ b/Shorewall/Macros/macro.SMB @@ -15,12 +15,12 @@ FORMAT 2 # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 135,445 -?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) PARAM - - udp 137 ; helper=netbios-ns PARAM - - udp 138:139 -?ELSE +?else PARAM - - udp 137:139 -?ENDIF +?endif PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445 diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI index 09d833cf7..08311d3fe 100644 --- a/Shorewall/Macros/macro.SMBBI +++ b/Shorewall/Macros/macro.SMBBI @@ -15,23 +15,23 @@ FORMAT 2 # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 135,445 -?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) PARAM - - udp 137 ; helper=netbios-ns PARAM - - udp 138:139 -?ELSE +?else PARAM - - udp 137:139 -?ENDIF +?endif PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445 PARAM DEST SOURCE udp 135,445 -?IF ( __CT_TARGET && $HELPERS && __NETBIOS_NS_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) PARAM DEST SOURCE udp 137 ; helper=netbios-ns PARAM DEST SOURCE udp 138:139 -?ELSE +?else PARAM DEST SOURCE udp 137:139 -?ENDIF +?endif PARAM DEST SOURCE udp 1024: 137 PARAM DEST SOURCE tcp 135,139,445 diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP index d1e26b598..bbc906fbc 100644 --- a/Shorewall/Macros/macro.SNMP +++ b/Shorewall/Macros/macro.SNMP @@ -10,11 +10,11 @@ FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF ( __CT_TARGET && $HELPERS && __SNMP_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER ) PARAM - - udp 161 ; helper=snmp PARAM - - udp 162 -?ELSE +?else PARAM - - udp 161:162 -?ENDIF +?endif PARAM - - tcp 161 diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP index bd303f322..8e7ccb4f3 100644 --- a/Shorewall/Macros/macro.TFTP +++ b/Shorewall/Macros/macro.TFTP @@ -12,8 +12,8 @@ FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -?IF ( __CT_TARGET && $HELPERS && __TFTP_HELPER ) +?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER ) PARAM - - udp 69 ; helper=tftp -?ELSE +?else PARAM - - udp 69 -?ENDIF +?endif diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b0103c3b8..5a2d46206 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -730,6 +730,7 @@ sub initialize( $;$ ) { LEGACY_FASTSTART => undef, USE_PHYSICAL_NAMES => undef, HELPERS => undef, + AUTOHELPERS => undef, # # Packet Disposition # @@ -4524,6 +4525,7 @@ sub get_configuration( $$$ ) { default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'USE_PHYSICAL_NAMES' , ''; default_yes_no 'IPSET_WARNINGS' , 'Yes'; + default_yes_no 'AUTOHELPERS' , 'Yes'; if ( supplied $config{HELPERS} ) { my %helpers_temp = %helpers_enabled; diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index d334682db..512802886 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 38af1be72..6eabebf6d 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -127,6 +127,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index e4f7b5142..9d6ba575f 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -125,6 +125,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 58ff0e882..2db35263c 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -128,6 +128,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack index 3ff7ec943..dbb55854d 100644 --- a/Shorewall/configfiles/conntrack +++ b/Shorewall/configfiles/conntrack @@ -7,7 +7,7 @@ FORMAT 2 #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ # PORT(S) PORT(S) GROUP -?IF __CT_TARGET +?IF $AUTOHELPERS && __CT_TARGET ?IF __AMANDA_HELPER CT:helper:amanda all - udp 10080 diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 8d7f3a0df..68b6b97c7 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -116,6 +116,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 4cd86e8f6..ef09c1dd6 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -96,7 +96,7 @@ role="bold">none} - + @@ -106,7 +106,7 @@ role="bold">none} - + @@ -116,7 +116,7 @@ role="bold">none} - + @@ -126,7 +126,7 @@ role="bold">none} - + @@ -299,6 +299,49 @@ + + AUTOHELPERS=[Yes|No] + + + Added in Shorewall 4.5.8. When set to + (the default), the generated ruleset will automatically associate + helpers with applications that require them (FTP, IRC, etc.). When + configuring your firewall on systems running kernel 3.5 or later, it + is recommended that you: + + + + Set AUTOHELPERS=No. + + + + Either: + + + + Modify shorewall-conntrack + (5) to only apply helpers where they are required; or + + + + Specify the appropriate helper in the HELPER column in + shorewall-rules + (5). + + + The macros for those applications requiring a helper + automatically specify the appropriate HELPER where + required. + + + + + + + + AUTOMAKE=[Yes|No] @@ -482,7 +525,7 @@
- + If CONFIG_PATH is not given or if it is set to the empty value then the contents of /usr/share/shorewall/configpath are @@ -739,8 +782,8 @@ net all DROP infothen the chain name is 'net2all' When HELPERS is specified on a system running Kernel 3.5.0 or - later, automatic association of helpers to connections is disabled. - + later, automatic association of helpers to connections is + disabled. @@ -889,7 +932,7 @@ net all DROP infothen the chain name is 'net2all' - +
If this variable is not set or is given an empty value @@ -1099,7 +1142,7 @@ net all DROP infothen the chain name is 'net2all' - +
For example, using the default LOGFORMAT, the log prefix for @@ -1116,7 +1159,7 @@ net all DROP infothen the chain name is 'net2all' control your firewall after you enable this option. - + Do not use this option if the resulting log messages will @@ -1780,7 +1823,7 @@ net all DROP infothen the chain name is 'net2all' role="bold">" - + diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index af44a223e..826db4099 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 5b2864e23..518ac9030 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 3cf36656e..01b81f97f 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 35beedfbd..0d9360a14 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 096f64b58..946060722 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -111,6 +111,8 @@ ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes +AUTOHELPERS=Yes + AUTOMAKE=No BLACKLISTNEWONLY=Yes diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 1eda02d4f..48d48d08b 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -82,7 +82,7 @@ role="bold">none} - + @@ -92,7 +92,7 @@ role="bold">none} - + @@ -102,7 +102,7 @@ role="bold">none} - + @@ -112,7 +112,7 @@ role="bold">none} - + @@ -228,6 +228,49 @@ + + AUTOHELPERS=[Yes|No] + + + Added in Shorewall 4.5.8. When set to + (the default), the generated ruleset will automatically associate + helpers with applications that require them (FTP, IRC, etc.). When + configuring your firewall on systems running kernel 3.5 or later, it + is recommended that you: + + + + Set AUTOHELPERS=No. + + + + Either: + + + + Modify shorewall6-conntrack + (5) to only apply helpers where they are required; or + + + + Specify the appropriate helper in the HELPER column in + shorewall6-rules + (5). + + + The macros for those applications requiring a helper + automatically specify the appropriate HELPER where + required. + + + + + + + + AUTOMAKE=[Yes|No] @@ -648,8 +691,8 @@ net all DROP infothen the chain name is 'net2all' When HELPERS is specified on a system running Kernel 3.5.0 or - later, automatic association of helpers to connections is disabled. - + later, automatic association of helpers to connections is + disabled. @@ -962,7 +1005,7 @@ net all DROP infothen the chain name is 'net2all' - +
For example, using the default LOGFORMAT, the log prefix for @@ -979,7 +1022,7 @@ net all DROP infothen the chain name is 'net2all' control your firewall after you enable this option. - + Do not use this option if the resulting log messages will @@ -1578,7 +1621,7 @@ net all DROP infothen the chain name is 'net2all' role="bold">" - + From b372163122ffd2fc0647ab3feafa4264b01c28eb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Aug 2012 08:42:53 -0700 Subject: [PATCH 13/14] Enable automatic helper association during 'stop'. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index b31c8cdb5..487aab3c0 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2340,6 +2340,14 @@ EOF deletechain shorewall run_stop_exit + + # + # Enable automatic helper association on kernel 3.5.0 and later + # + if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then + echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper + fi + EOF if ( have_capability( 'NAT_ENABLED' ) ) { From 2f1d59366caccbb270496245a25a9879f88e8bb5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Aug 2012 08:43:28 -0700 Subject: [PATCH 14/14] Unconditionally disable kernel automatic helper association during start. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 7e221b48c..16005639c 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -705,12 +705,10 @@ sub compiler { # setup_proxy_arp; - my $setting = supplied $config{HELPERS} ? 0 : 1; - - emit( "#\n# Set automatic helper association on kernel 3.5.0 and later\n#" , + emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" , 'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' , - ' progress_message "Setting up Automatic Helper Association"', - " echo $setting > /proc/sys/net/netfilter/nf_conntrack_helper", + ' progress_message "Disabling Kernel Automatic Helper Association"', + " echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper", 'fi', '' );