diff --git a/Shorewall/firewall b/Shorewall/firewall index a340c7cd7..6a39fc0d2 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1693,14 +1693,16 @@ check_config() { disclaimer() { echo - echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM" - echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH" - echo " WILL NOT BE ACCEPTED" + echo "Notice: The 'check' command is unsupported and problem" + echo " reports complaining about errors that it didn't catch" + echo " will not be accepted" echo } disclaimer + report_capabilities + echo "Verifying Configuration..." verify_os_version @@ -2108,13 +2110,25 @@ add_a_rule() if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then if [ -n "$serv" ]; then for srv in `ip_range $serv`; do - if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule $loglevel $chain $logtarget \ - `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` - fi + if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then + for adr in $addr; do + if [ -n "$loglevel" -a -z "$natrule" ]; then + log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \ + `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` + fi - run_iptables2 -A $chain $proto $multiport $state $cli $sports \ - -d $srv $dports -j $target + run_iptables2 -A $chain $proto $multiport $state $cli $sports \ + -d $srv $dports -m conntrack --ctorigdst $adr -j $target + done + else + if [ -n "$loglevel" -a -z "$natrule" ]; then + log_rule $loglevel $chain $logtarget \ + `fix_bang $proto $sports $multiport $state $cli -d $srv $dports` + fi + + run_iptables2 -A $chain $proto $multiport $state $cli $sports \ + -d $srv $dports -j $target + fi done else if [ -n "$loglevel" -a -z "$natrule" ]; then @@ -3325,6 +3339,41 @@ verify_ip() { startup_error "Shorewall $version requires the iproute package ('ip' utility)" } +# +# Determine which optional facilities are supported by iptables/netfilter +# +determine_capabilities() { + qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= + qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= + + CONNTRACK_MATCH= + MULTIPORT= + + if qt iptables -N fooX1234 ; then + qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes + qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + + qt iptables -F fooX1234 + qt iptables -X fooX1234 + fi +} + +report_capability() # $1 = Capability Name, $2 Capability Setting (if any) +{ + local setting= + + [ $1 = "Yes" ] && { setting="Available"; shift; } || setting="Not available" + + echo " " $@: $setting +} + +report_capabilities() { + echo "Shorewall has detected the following iptables/netfilter capabilities:" + report_capability $NAT_ENABLED "NAT" + report_capability $MANGLE_ENABLED "Packet Mangling" + report_capability $CONNTRACK_MATCH "Connection Tracking Match" +} + # # Perform Initialization # - Delete all old rules @@ -3335,6 +3384,8 @@ verify_ip() { # initialize_netfilter () { + report_capabilities + echo "Determining Zones..." determine_zones @@ -3611,11 +3662,12 @@ add_common_rules() { run_iptables -A logdrop -j DROP - if [ -n "$MANGLE_ENABLED" ]; then + if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then # - # Mangling is enabled -- create a chain in the mangle table to - # filter RFC1918 destination addresses. This must be done in the - # mangle table before we apply any DNAT rules in the nat table + # Mangling is enabled but conntrack match isn't available -- + # create a chain in the mangle table to filter RFC1918 destination + # addresses. This must be done in the mangle table before we apply + # any DNAT rules in the nat table # # Also add a chain to log and drop any RFC1918 packets that we find # @@ -3635,11 +3687,17 @@ add_common_rules() { esac run_iptables2 -A rfc1918 -s $subnet -j $target - # - # If packet mangling is enabled, trap packets with an - # RFC1918 destination - # - if [ -n "$MANGLE_ENABLED" ]; then + + if [ -n "$CONNTRACK_MATCH" ]; then + # + # We have connection tracking match -- match on the original destination + # + run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target + elif [ -n "$MANGLE_ENABLED" ]; then + # + # No connection tracking match but we have mangling -- add a rule to + # the mangle table + # run_iptables2 -t mangle -A man1918 -d $subnet -j $target fi done < $TMP_DIR/rfc1918 @@ -3649,7 +3707,7 @@ add_common_rules() { run_iptables -A $chain -m state --state NEW -j rfc1918 done - [ -n "$MANGLE_ENABLED" ] && \ + [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \ run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 done @@ -4512,8 +4570,6 @@ do_initialize() { LOGRATE= LOGBURST= LOGPARMS= - NAT_ENABLED= - MANGLE_ENABLED= ADD_IP_ALIASES= ADD_SNAT_ALIASES= TC_ENABLED= @@ -4523,7 +4579,6 @@ do_initialize() { CLAMPMSS= ROUTE_FILTER= NAT_BEFORE_RULES= - MULTIPORT= DETECT_DNAT_IPADDRS= MUTEX_TIMEOUT= NEWNOTSYN= @@ -4587,8 +4642,6 @@ do_initialize() { ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" [ -n "$ALLOWRELATED" ] || \ startup_error "ALLOWRELATED=No is not supported" - NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`" - MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`" ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`" TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" @@ -4620,7 +4673,6 @@ do_initialize() { ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES` ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER` NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` - MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` [ -n "$FORWARDPING" ] && \ @@ -4691,6 +4743,11 @@ do_initialize() { # strip_file interfaces strip_file hosts + # + # Determine the capabilities of the installed iptables/netfilter + # + determine_capabilities + } # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 51805f2f7..34cf15b78 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -This is a minor release of Shorewall. +This is a snapshot release of Shorewall. Problems Corrected: @@ -6,6 +6,15 @@ Problems Corrected: errors when started using the "service" mechanism has been worked around. +2) A problem introduced in earlier snapshots has been corrected. This + problem caused incorrect netfilter rules to be created when the + destination zone in a rule was qualified by an address in CIDR + format. + + Example: + + ACCEPT fw net:206.124.146.0/24 tcp pop3 + New Features: 1) A 'newnotsyn' interface option has been added. This option may be @@ -19,10 +28,56 @@ New Features: 3) Shorewall can now add IP addresses to subnets other than the first one on an interface. -4) DNAT[-] rules may now be used to round-robin over a set of - servers. Up to 256 servers may be specified in a range of addresses - given as -. +4) DNAT[-] rules may now be used to load balance (round-robin) over a + set of servers. Up to 256 servers may be specified in a range of + addresses given as -. Example: - DNAT net loc:192.168.10.2-192.168.10.5 tcp 80 \ No newline at end of file + DNAT net loc:192.168.10.2-192.168.10.5 tcp 80 + + Note that this capability has previously been available using a + combination of a DNAT- rule and one or more ACCEPT rules. That + technique is still preferable for load-balancing over a large number + of servers (> 16) since specifying a range in the DNAT rule causes + one filter table ACCEPT rule to be generated for each IP address in + the range. + +5) The NAT_ENABLED and MANGLE_ENABLED configuration options have been + removed and have been replaced by code that detects whether these + capabilities are present in the current kernel. The output of the + start, restart and check commands have been enhanced to report the + outcome: + + Shorewall has detected the following iptables/netfilter capabilities: + NAT: Available + Packet Mangling: Available + Verifying Configuration... + +6) Support for the Connection Tracking Match Extension has been + added. This extension is available in recent kernel/iptables + releases and allows for rules which match against elements in + netfilter's connection tracking table. + + Shorewall automatically detects the availability of this extension + and reports its availability in the output of the start, restart and + check commands. + + Shorewall has detected the following iptables/netfilter capabilities: + NAT: Available + Packet Mangling: Available + Connection Tracking Match: Available + Verifying Configuration... + + If this extension is available, the ruleset generated by Shorewall + is changed in the following ways: + + a) To handle 'norfc1918' filtering, Shorewall will not create chains + in the mangle table but will rather do all 'norfc1918' filtering in + the filter table (rfc1918 chain). + + b) Recall that Shorewall DNAT rules generate two netfilter rules; + one in the nat table and one in the filter table. If the Connection + Tracking Match Extension is available, the rule in the filter table + is extended to check that the original destination address was the + same as specified (or defaulted to) in the DNAT rule. diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 76ff593f1..278271ac5 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -230,24 +230,6 @@ MODULESDIR= # FW=fw -# -# ENABLE NAT SUPPORT -# -# You probally want yes here. Only gateways not doing NAT in any form, like -# SNAT,DNAT masquerading, port forwading etc. should say "no" here. -# -NAT_ENABLED=Yes - -# -# ENABLE MANGLE SUPPORT -# -# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file -# and will not initialize the mangle table when starting or stopping -# your firewall. You must enable mangling if you want Traffic Shaping -# (see TC_ENABLED below). -# -MANGLE_ENABLED=Yes - # # ENABLE IP FORWARDING # @@ -378,26 +360,6 @@ ROUTE_FILTER=No NAT_BEFORE_RULES=Yes -# MULTIPORT support -# -# If your kernel includes the multiport match option -# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this -# option is enabled by setting it's value to "Yes" or "yes": -# -# 1) If you list more that 15 ports in a comma-seperated list in -# /etc/shorewall/rules, Shorewall will not use the multiport option -# but will generate a separate rule for each element of each port -# list. -# 2) If you include a port range (:) in the -# rule, Shorewall will not use the multiport option but will generate -# a separate rule for each element of each port list. -# -# See the /etc/shorewall/rules file for additional information on this option. -# -# if this variable is not set or is set to the empty value, "No" is assumed. - -MULTIPORT=No - # DNAT IP ADDRESS DETECTION # # Normally when Shorewall encounters the following rule: