Add Conntrack Match Capability

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@618 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-06-27 21:02:52 +00:00 · 2003-06-27 21:02:52 +00:00 · 7a2cad4d07
commit 7a2cad4d07
parent f562fa4836
3 changed files with 142 additions and 68 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1693,14 +1693,16 @@ check_config() {

    disclaimer() {
 	echo
-	echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM"
-	echo "         REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH"
-	echo "         WILL NOT BE ACCEPTED"
+	echo "Notice:  The 'check' command is unsupported and problem"
+	echo "         reports complaining about errors that it didn't catch"
+	echo "         will not be accepted"
 	echo
    }

    disclaimer

+    report_capabilities
+
    echo "Verifying Configuration..."

    verify_os_version
@ -2108,13 +2110,25 @@ add_a_rule()
 	    if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
 		if [ -n "$serv" ]; then
 		    for srv in `ip_range $serv`; do
-			if [ -n "$loglevel" -a -z "$natrule" ]; then
-			    log_rule $loglevel $chain $logtarget \
-				`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
-			fi
+			if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
+			    for adr in $addr; do
+				if [ -n "$loglevel" -a -z "$natrule" ]; then
+				    log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \
+					`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
+				fi

-			run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-			    -d $srv $dports -j $target
+				run_iptables2 -A $chain $proto $multiport $state $cli $sports \
+				    -d $srv $dports -m conntrack --ctorigdst $adr -j $target
+			    done
+			else
+			    if [ -n "$loglevel" -a -z "$natrule" ]; then
+				log_rule $loglevel $chain $logtarget \
+				    `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
+			    fi
+
+			    run_iptables2 -A $chain $proto $multiport $state $cli $sports \
+				-d $srv $dports -j $target
+			fi
 		    done
 		else
 		    if [ -n "$loglevel" -a -z "$natrule" ]; then
@ -3325,6 +3339,41 @@ verify_ip() {
 	startup_error "Shorewall $version requires the iproute package ('ip' utility)"
 }

+# 
+# Determine which optional facilities are supported by iptables/netfilter
+#
+determine_capabilities() {
+    qt iptables -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
+    qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
+    CONNTRACK_MATCH=
+    MULTIPORT=
+
+    if qt iptables -N fooX1234 ; then
+	qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
+        qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT   && MULTIPORT=Yes
+
+	qt iptables -F fooX1234
+	qt iptables -X fooX1234
+    fi
+}
+
+report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
+{
+    local setting=
+
+    [ $1 = "Yes" ] && { setting="Available"; shift; } || setting="Not available"
+
+    echo "  " $@: $setting
+}
+
+report_capabilities() {
+    echo "Shorewall has detected the following iptables/netfilter capabilities:"
+    report_capability $NAT_ENABLED "NAT"
+    report_capability $MANGLE_ENABLED "Packet Mangling"
+    report_capability $CONNTRACK_MATCH "Connection Tracking Match"
+}
+
 #
 # Perform Initialization
 #	- Delete all old rules
@ -3335,6 +3384,8 @@ verify_ip() {
 #
 initialize_netfilter () {

+    report_capabilities
+
    echo "Determining Zones..."

    determine_zones
@ -3611,11 +3662,12 @@ add_common_rules() {
 	
 	run_iptables -A logdrop -j DROP

-	if [ -n "$MANGLE_ENABLED" ]; then
+	if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
 	    #
-	    # Mangling is enabled -- create a chain in the mangle table to
-	    # filter RFC1918 destination addresses. This must be done in the
-	    # mangle table before we apply any DNAT rules in the nat table
+	    # Mangling is enabled but conntrack match isn't available -- 
+	    # create a chain in the mangle table to filter RFC1918 destination
+            # addresses. This must be done in the mangle table before we apply
+	    # any DNAT rules in the nat table
 	    #
 	    # Also add a chain to log and drop any RFC1918 packets that we find
 	    #
@ -3635,11 +3687,17 @@ add_common_rules() {
 	    esac

 	    run_iptables2 -A rfc1918 -s $subnet -j $target
-	    #
-	    # If packet mangling is enabled, trap packets with an
-	    # RFC1918 destination
-	    #
-	    if [ -n "$MANGLE_ENABLED" ]; then
+
+	    if [ -n "$CONNTRACK_MATCH" ]; then
+		#
+		# We have connection tracking match -- match on the original destination
+		#
+		run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
+	    elif [ -n "$MANGLE_ENABLED" ]; then
+		#
+		# No connection tracking match but we have mangling -- add a rule to
+		# the mangle table
+		#
 		run_iptables2 -t mangle -A man1918 -d $subnet -j $target
 	    fi
 	done < $TMP_DIR/rfc1918
@ -3649,7 +3707,7 @@ add_common_rules() {
 		run_iptables -A $chain -m state --state NEW -j rfc1918
 	    done

-	    [ -n "$MANGLE_ENABLED" ] && \
+	    [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
 		run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
 	done

@ -4512,8 +4570,6 @@ do_initialize() {
    LOGRATE=
    LOGBURST=
    LOGPARMS=
-    NAT_ENABLED=
-    MANGLE_ENABLED=
    ADD_IP_ALIASES=
    ADD_SNAT_ALIASES=
    TC_ENABLED=
@ -4523,7 +4579,6 @@ do_initialize() {
    CLAMPMSS=
    ROUTE_FILTER=
    NAT_BEFORE_RULES=
-    MULTIPORT=
    DETECT_DNAT_IPADDRS=
    MUTEX_TIMEOUT=
    NEWNOTSYN=
@ -4587,8 +4642,6 @@ do_initialize() {
    ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
    [ -n "$ALLOWRELATED" ] || \
 	startup_error "ALLOWRELATED=No is not supported"
-    NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
-    MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
    ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
    TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"

@ -4620,7 +4673,6 @@ do_initialize() {
    ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES`
    ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
    NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
-    MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
    DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
    FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
    [ -n "$FORWARDPING" ] && \
@ -4691,6 +4743,11 @@ do_initialize() {
    #
    strip_file interfaces
    strip_file hosts
+    #
+    # Determine the capabilities of the installed iptables/netfilter
+    #
+    determine_capabilities
+
 }

 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,4 +1,4 @@
-This is a minor release of Shorewall.
+This is a snapshot release of Shorewall.

 Problems Corrected:

@ -6,6 +6,15 @@ Problems Corrected:
   errors when started using the "service" mechanism has been worked
   around.

+2) A problem introduced in earlier snapshots has been corrected. This
+   problem caused incorrect netfilter rules to be created when the
+   destination zone in a rule was qualified by an address in CIDR
+   format.
+ 
+   Example:
+
+   ACCEPT  fw   net:206.124.146.0/24   tcp   pop3
+
 New Features:

 1) A 'newnotsyn' interface option has been added. This option may be
@ -19,10 +28,56 @@ New Features:
 3) Shorewall can now add IP addresses to subnets other than the first
   one on an interface.

-4) DNAT[-] rules may now be used to round-robin over a set of
-   servers. Up to 256 servers may be specified in a range of addresses
-   given as <first address>-<last address>.
+4) DNAT[-] rules may now be used to load balance (round-robin) over a
+   set of servers. Up to 256 servers may be specified in a range of
+   addresses given as <first address>-<last address>.

   Example:

-	DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+	DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
+
+   Note that this capability has previously been available using a
+   combination of a DNAT- rule and one or more ACCEPT rules. That
+   technique is still preferable for load-balancing over a large number
+   of servers (> 16) since specifying a range in the DNAT rule causes
+   one filter table ACCEPT rule to be generated for each IP address in
+   the range.
+
+5) The NAT_ENABLED and MANGLE_ENABLED configuration options have been
+   removed and have been replaced by code that detects whether these
+   capabilities are present in the current kernel. The output of the
+   start, restart and check commands have been enhanced to report the
+   outcome:
+
+   Shorewall has detected the following iptables/netfilter capabilities:
+      NAT: Available
+      Packet Mangling: Available
+   Verifying Configuration...
+
+6) Support for the Connection Tracking Match Extension has been
+   added. This extension is available in recent kernel/iptables
+   releases and allows for rules which match against elements in
+   netfilter's connection tracking table.
+
+   Shorewall automatically detects the availability of this extension
+   and reports its availability in the output of the start, restart and
+   check commands.
+
+   Shorewall has detected the following iptables/netfilter capabilities:
+      NAT: Available
+      Packet Mangling: Available
+      Connection Tracking Match: Available
+   Verifying Configuration...
+
+   If this extension is available, the ruleset generated by Shorewall
+   is changed in the following ways:
+
+   a) To handle 'norfc1918' filtering, Shorewall will not create chains
+      in the mangle table but will rather do all 'norfc1918' filtering in
+      the filter table (rfc1918 chain).
+
+   b) Recall that Shorewall DNAT rules generate two netfilter rules;
+      one in the nat table and one in the filter table. If the Connection
+      Tracking Match Extension is available, the rule in the filter table
+      is extended to check that the original destination address was the
+      same as specified (or defaulted to) in the DNAT rule.
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -230,24 +230,6 @@ MODULESDIR=
 #
 FW=fw

-#
-# ENABLE NAT SUPPORT
-#
-# You probally want yes here. Only gateways not doing NAT in any form, like
-# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
-#
-NAT_ENABLED=Yes
-
-#
-# ENABLE MANGLE SUPPORT
-#
-# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
-# and will not initialize the mangle table when starting or stopping
-# your firewall. You must enable mangling if you want Traffic Shaping
-# (see TC_ENABLED below).
-#
-MANGLE_ENABLED=Yes
-
 #
 # ENABLE IP FORWARDING
 #
@ -378,26 +360,6 @@ ROUTE_FILTER=No

 NAT_BEFORE_RULES=Yes

-# MULTIPORT support
-#
-# If your kernel includes the multiport match option
-# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
-# option is enabled by setting it's value to "Yes" or "yes":
-#
-#	1) If you list more that 15 ports in a comma-seperated list in
-#	   /etc/shorewall/rules, Shorewall will not use the multiport option
-#	   but will generate a separate rule for each element of each port
-#	   list.
-#	2) If you include a port range (<low port>:<high port>) in the
-#	   rule, Shorewall will not use the multiport option but will generate
-#	   a separate rule for each element of each port list.
-#
-# See the /etc/shorewall/rules file for additional information on this option.
-#
-# if this variable is not set or is set to the empty value, "No" is assumed.
-
-MULTIPORT=No
-
 # DNAT IP ADDRESS DETECTION
 #
 # Normally when Shorewall encounters the following rule: