holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add Conntrack Match Capability

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@618 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-06-27 21:02:52 +00:00
parent f562fa4836
commit 7a2cad4d07
3 changed files with 142 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
Shorewall/firewall
View File

@ -1693,14 +1693,16 @@ check_config() {
disclaimer() { disclaimer() {
echo echo
echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM" echo "Notice: The 'check' command is unsupported and problem"
echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH" echo " reports complaining about errors that it didn't catch"
echo " WILL NOT BE ACCEPTED" echo " will not be accepted"
echo echo
} }
disclaimer disclaimer
report_capabilities
echo "Verifying Configuration..." echo "Verifying Configuration..."
verify_os_version verify_os_version
@ -2108,13 +2110,25 @@ add_a_rule()
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
if [ -n "$serv" ]; then if [ -n "$serv" ]; then
for srv in `ip_range $serv`; do for srv in `ip_range $serv`; do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
log_rule $loglevel $chain $logtarget \ for adr in $addr; do
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports` if [ -n "$loglevel" -a -z "$natrule" ]; then
fi log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \ run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-d $srv $dports -j $target -d $srv $dports -m conntrack --ctorigdst $adr -j $target
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-d $srv $dports -j $target
fi
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
@ -3325,6 +3339,41 @@ verify_ip() {
startup_error "Shorewall $version requires the iproute package ('ip' utility)" startup_error "Shorewall $version requires the iproute package ('ip' utility)"
} }
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -F fooX1234
qt iptables -X fooX1234
fi
}
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
{
local setting=
[ $1 = "Yes" ] && { setting="Available"; shift; } || setting="Not available"
echo " " $@: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT"
report_capability $MANGLE_ENABLED "Packet Mangling"
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
}
# #
# Perform Initialization # Perform Initialization
# - Delete all old rules # - Delete all old rules
@ -3335,6 +3384,8 @@ verify_ip() {
# #
initialize_netfilter () { initialize_netfilter () {
report_capabilities
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
@ -3611,11 +3662,12 @@ add_common_rules() {
run_iptables -A logdrop -j DROP run_iptables -A logdrop -j DROP
if [ -n "$MANGLE_ENABLED" ]; then if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
# #
# Mangling is enabled -- create a chain in the mangle table to # Mangling is enabled but conntrack match isn't available --
# filter RFC1918 destination addresses. This must be done in the # create a chain in the mangle table to filter RFC1918 destination
# mangle table before we apply any DNAT rules in the nat table # addresses. This must be done in the mangle table before we apply
# any DNAT rules in the nat table
# #
# Also add a chain to log and drop any RFC1918 packets that we find # Also add a chain to log and drop any RFC1918 packets that we find
# #
@ -3635,11 +3687,17 @@ add_common_rules() {
esac esac
run_iptables2 -A rfc1918 -s $subnet -j $target run_iptables2 -A rfc1918 -s $subnet -j $target
#
# If packet mangling is enabled, trap packets with an if [ -n "$CONNTRACK_MATCH" ]; then
# RFC1918 destination #
# # We have connection tracking match -- match on the original destination
if [ -n "$MANGLE_ENABLED" ]; then #
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
# the mangle table
#
run_iptables2 -t mangle -A man1918 -d $subnet -j $target run_iptables2 -t mangle -A man1918 -d $subnet -j $target
fi fi
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
@ -3649,7 +3707,7 @@ add_common_rules() {
run_iptables -A $chain -m state --state NEW -j rfc1918 run_iptables -A $chain -m state --state NEW -j rfc1918
done done
[ -n "$MANGLE_ENABLED" ] && \ [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
done done
@ -4512,8 +4570,6 @@ do_initialize() {
LOGRATE= LOGRATE=
LOGBURST= LOGBURST=
LOGPARMS= LOGPARMS=
NAT_ENABLED=
MANGLE_ENABLED=
ADD_IP_ALIASES= ADD_IP_ALIASES=
ADD_SNAT_ALIASES= ADD_SNAT_ALIASES=
TC_ENABLED= TC_ENABLED=
@ -4523,7 +4579,6 @@ do_initialize() {
CLAMPMSS= CLAMPMSS=
ROUTE_FILTER= ROUTE_FILTER=
NAT_BEFORE_RULES= NAT_BEFORE_RULES=
MULTIPORT=
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN= NEWNOTSYN=
@ -4587,8 +4642,6 @@ do_initialize() {
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
[ -n "$ALLOWRELATED" ] || \ [ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported" startup_error "ALLOWRELATED=No is not supported"
NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`" ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"
@ -4620,7 +4673,6 @@ do_initialize() {
ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES` ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES`
ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER` ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
@ -4691,6 +4743,11 @@ do_initialize() {
# #
strip_file interfaces strip_file interfaces
strip_file hosts strip_file hosts
#
# Determine the capabilities of the installed iptables/netfilter
#
determine_capabilities
} }
# #

65
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
This is a minor release of Shorewall. This is a snapshot release of Shorewall.
Problems Corrected: Problems Corrected:
@ -6,6 +6,15 @@ Problems Corrected:
errors when started using the "service" mechanism has been worked errors when started using the "service" mechanism has been worked
around. around.
2) A problem introduced in earlier snapshots has been corrected. This
problem caused incorrect netfilter rules to be created when the
destination zone in a rule was qualified by an address in CIDR
format.
Example:
ACCEPT fw net:206.124.146.0/24 tcp pop3
New Features: New Features:
1) A 'newnotsyn' interface option has been added. This option may be 1) A 'newnotsyn' interface option has been added. This option may be
@ -19,10 +28,56 @@ New Features:
3) Shorewall can now add IP addresses to subnets other than the first 3) Shorewall can now add IP addresses to subnets other than the first
one on an interface. one on an interface.
4) DNAT[-] rules may now be used to round-robin over a set of 4) DNAT[-] rules may now be used to load balance (round-robin) over a
servers. Up to 256 servers may be specified in a range of addresses set of servers. Up to 256 servers may be specified in a range of
given as <first address>-<last address>. addresses given as <first address>-<last address>.
Example: Example:
DNAT net loc:192.168.10.2-192.168.10.5 tcp 80 DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
Note that this capability has previously been available using a
combination of a DNAT- rule and one or more ACCEPT rules. That
technique is still preferable for load-balancing over a large number
of servers (> 16) since specifying a range in the DNAT rule causes
one filter table ACCEPT rule to be generated for each IP address in
the range.
5) The NAT_ENABLED and MANGLE_ENABLED configuration options have been
removed and have been replaced by code that detects whether these
capabilities are present in the current kernel. The output of the
start, restart and check commands have been enhanced to report the
outcome:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Verifying Configuration...
6) Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in
netfilter's connection tracking table.
Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and
check commands.
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Connection Tracking Match: Available
Verifying Configuration...
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:
a) To handle 'norfc1918' filtering, Shorewall will not create chains
in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).
b) Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table
is extended to check that the original destination address was the
same as specified (or defaulted to) in the DNAT rule.

38
Shorewall/shorewall.conf
View File

@ -230,24 +230,6 @@ MODULESDIR=
# #
FW=fw FW=fw
#
# ENABLE NAT SUPPORT
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED=Yes
#
# ENABLE MANGLE SUPPORT
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED=Yes
# #
# ENABLE IP FORWARDING # ENABLE IP FORWARDING
# #
@ -378,26 +360,6 @@ ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes NAT_BEFORE_RULES=Yes
# MULTIPORT support
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
# option is enabled by setting it's value to "Yes" or "yes":
#
# 1) If you list more that 15 ports in a comma-seperated list in
# /etc/shorewall/rules, Shorewall will not use the multiport option
# but will generate a separate rule for each element of each port
# list.
# 2) If you include a port range (<low port>:<high port>) in the
# rule, Shorewall will not use the multiport option but will generate
# a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this option.
#
# if this variable is not set or is set to the empty value, "No" is assumed.
MULTIPORT=No
# DNAT IP ADDRESS DETECTION # DNAT IP ADDRESS DETECTION
# #
# Normally when Shorewall encounters the following rule: # Normally when Shorewall encounters the following rule: