forked from extern/shorewall_code
Bring trunk up to date with 4.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7376 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6dd163b0fe
commit
7a96b07e81
@ -12,6 +12,31 @@ Changes in 4.0.4
|
||||
|
||||
6) Make compile-time check for iptables-restore.
|
||||
|
||||
7) Fix dup chain name test for actions.
|
||||
|
||||
8) Improve KLUDGEFREE detection.
|
||||
|
||||
9) Remove unused functions from Chains module.
|
||||
|
||||
10) Allow 'TC_ENABLED=internal' as specified (Only 'Internal' is
|
||||
currently allowed).
|
||||
|
||||
11) Correct 'loose' handling.
|
||||
|
||||
12) Correct handling of 'bridge' and accounting.
|
||||
|
||||
13) Fix SHOREWALL_DIR fiasco.
|
||||
|
||||
14) Avoid deleting wrong routing rule.
|
||||
|
||||
15) Allow provider number in route_rules with Shorewall-shell.
|
||||
|
||||
16) Add DELETE_THEN_ADD option.
|
||||
|
||||
17) Add warning about 'detectnets' going away.
|
||||
|
||||
18) Fix off-by-one bug in Tc.pm
|
||||
|
||||
Changes in 4.0.3
|
||||
|
||||
1) Streamline the checking for builtin chains in the accounting file.
|
||||
|
@ -424,8 +424,8 @@ delete_proxy_arp() {
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
interface=/proc/sys/net/ipv4/conf/$interface
|
||||
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
|
||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
[ -f $f ] && echo 0 > $f
|
||||
done < ${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
|
@ -1008,13 +1008,21 @@ determine_capabilities() {
|
||||
NFQUEUE_TARGET=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
|
||||
if qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT; then
|
||||
MULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
|
||||
fi
|
||||
|
||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
|
||||
if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
|
||||
PHYSDEV_MATCH=Yes
|
||||
if [ -z "${KLUDGEFREE}" ]; then
|
||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
|
||||
fi
|
||||
fi
|
||||
|
||||
if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
|
||||
|
@ -1745,7 +1745,7 @@ do_initialize() {
|
||||
OPTIMIZE=
|
||||
EXPORTPARAMS=
|
||||
KEEP_TC_RULES=
|
||||
|
||||
DELETE_THEN_ADD=
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -2021,6 +2021,7 @@ do_initialize() {
|
||||
USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
|
||||
EXPORTPARAMS=$(added_param_value_yes EXPORTPARAMS $EXPORTPARAMS)
|
||||
KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES)
|
||||
DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD)
|
||||
|
||||
[ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
|
||||
|
||||
|
@ -1,4 +1,8 @@
|
||||
Shorewall 4.0 Patch release 4
|
||||
|
||||
WARNING: Suppport for the 'detectnets' option will be removed from
|
||||
Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E 4 . 0 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
@ -63,9 +67,103 @@ Problems Corrected in Shorewall 4.0.4
|
||||
iptables executable specified by IPTABLES in shorewall.conf or
|
||||
located by the PATH in the event that IPTABLES is not specified.
|
||||
|
||||
7) When using Shorewall-perl, if an action was invoked with more than
|
||||
10 different combinations of log-levels/tags, some of those
|
||||
invocations with have incorrect logging.
|
||||
|
||||
8) Previously, when 'shorewall restore' was executed, the
|
||||
iptables-restore utility was always located using the PATH setting
|
||||
rather than the IPTABLES setting.
|
||||
|
||||
With Shorewall-perl, the IPTABLES setting is now used to locate
|
||||
this utility during 'restore' as it is during the processing of
|
||||
other commands.
|
||||
|
||||
9) Although the shorewall.conf manpage indicates that the value
|
||||
'internal' is allowed for TC_ENABLED, that value was previously
|
||||
rejected ('Internal' was accepted).
|
||||
|
||||
10) The meaning of the 'loose' provider option was accidentally reversed
|
||||
in Shorewall-perl. Rather than causing certain routing rules to be
|
||||
omitted when specified, it actually caused them to be added (these
|
||||
rules were omitted when the option was NOT specified).
|
||||
|
||||
11) If the 'bridge' option was specified on an interface but there were
|
||||
no bport zones, then traffic originating on the firewall was not
|
||||
passed through the accounting chain.
|
||||
|
||||
12) In commands such as:
|
||||
|
||||
shorewall compile <directory>
|
||||
shorewall restart <directory>
|
||||
shorewall check <directory>
|
||||
|
||||
if the name of the <directory> contained a period ("."), then
|
||||
Shorewall-perl would incorrectly substitute the current working
|
||||
directory for the name.
|
||||
|
||||
13) Previously, if the following sequence of routing rules was
|
||||
specified, then the first rule would always be omitted.
|
||||
|
||||
#SOURCE DEST PROVIDER PRIORITY
|
||||
$SRC_A $DESTIP1 ISP1 1000
|
||||
$SRC_A $DESTIP2 SOMEISP 1000
|
||||
$SRC_A - ISP2 1000
|
||||
|
||||
The reason for this omission was that Shorewall uses a
|
||||
delete-before-add approach and attempting to delete the third rule
|
||||
resulted in the deletion of the first one instead.
|
||||
|
||||
This problem occurred with both compilers.
|
||||
|
||||
14) When using Shorewall-shell, provider numbers were not recognized in
|
||||
the PROVIDER column of /etc/shorewall/route_rules.
|
||||
|
||||
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
|
||||
rejected in the MARK column of /etc/shorewall/tcclasses.
|
||||
|
||||
Other Changes in Shorewall 4.0.4
|
||||
|
||||
None.
|
||||
1) The detection of 'Repeat Match' has been improved. 'Repeat Match'
|
||||
is not a match at all but rather is a feature of recent versions of
|
||||
iptables that allows a particular match to be used multiple times
|
||||
within a single rule.
|
||||
|
||||
Example:
|
||||
|
||||
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
|
||||
|
||||
When using Shorewall-shell, the availability of 'Repeat Match' can
|
||||
speed up compilation very slightly.
|
||||
|
||||
2) Apparently recent Fedora releases are broken. The
|
||||
following sequence of commands demonstrates the problem:
|
||||
|
||||
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
|
||||
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
|
||||
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
|
||||
|
||||
The third command should fail but doesn't; instead, it incorrectly
|
||||
removes the rule added by the first command.
|
||||
|
||||
To work around this issue, you can set DELETE_THEN_ADD=No in
|
||||
shorewall.conf which prevents Shorewall from deleting ip rules
|
||||
before attempting to add a similar rule.
|
||||
|
||||
3) When using Shorewall-perl, the following message is now issued if
|
||||
the 'detectnets' option is specified in /etc/shorewall/interfaces:
|
||||
|
||||
WARNING: Support for the 'detectnets' option will be removed from
|
||||
Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians
|
||||
|
||||
The 'detect' options has always been rather silly. On input, it
|
||||
duplicates the function of 'routefilter'. On output, it is a no-op
|
||||
since traffic that doesn't match a route out of an interface won't
|
||||
be sent through that interface (duh!).
|
||||
|
||||
Beginning with Shorewall 4.0.5, the warning message will read:
|
||||
|
||||
WARNING: Support for the 'detectnets' option has been removed
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
@ -167,6 +167,8 @@ EXPAND_POLICIES=Yes
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
|
||||
%macros
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# Used Actions. Each action that is actually used has an entry with value 1.
|
||||
|
@ -59,7 +59,6 @@ our @EXPORT = qw( STANDARD
|
||||
add_command
|
||||
add_commands
|
||||
mark_referenced
|
||||
add_file
|
||||
add_rule
|
||||
insert_rule
|
||||
chain_base
|
||||
@ -371,32 +370,6 @@ sub mark_referenced( $ ) {
|
||||
$_[0]->{referenced} = 1;
|
||||
}
|
||||
|
||||
#
|
||||
# Copy a file into a chain's rules as a set of run-time commands
|
||||
#
|
||||
|
||||
sub add_file( $$ ) {
|
||||
my $chainref = $_[0];
|
||||
my $file = find_file $_[1];
|
||||
|
||||
if ( -f $file ) {
|
||||
open EF , '<', $file or fatal_error "Unable to open $file: $!";
|
||||
|
||||
add_commands( $chainref,
|
||||
qq(progress_message "Processing $file..."),
|
||||
'' );
|
||||
|
||||
while ( my $line = <EF> ) {
|
||||
chomp $line;
|
||||
add_command $chainref, $line;
|
||||
}
|
||||
|
||||
add_command $chainref, '';
|
||||
|
||||
close EF;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Add a rule to a chain. Arguments are:
|
||||
#
|
||||
@ -584,16 +557,6 @@ sub new_chain($$)
|
||||
cmdlevel => 0 };
|
||||
}
|
||||
|
||||
#
|
||||
# Create an anonymous chain
|
||||
#
|
||||
sub new_anon_chain( $ ) {
|
||||
my $chainref = $_[0];
|
||||
my $seq = $chainseq++;
|
||||
new_chain( $chainref->{table}, 'chain' . "$seq" );
|
||||
}
|
||||
|
||||
#
|
||||
#
|
||||
# Create a chain if it doesn't exist already
|
||||
#
|
||||
@ -1166,7 +1129,7 @@ sub get_set_flags( $$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Match a Source. Currently only handles IP addresses and ranges
|
||||
# Match a Source. Handles IP addresses and ranges and MAC addresses
|
||||
#
|
||||
sub match_source_net( $ ) {
|
||||
my $net = $_[0];
|
||||
@ -1185,10 +1148,10 @@ sub match_source_net( $ ) {
|
||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
validate_net $net;
|
||||
validate_net $net, 1;
|
||||
"-s ! $net ";
|
||||
} else {
|
||||
validate_net $net;
|
||||
validate_net $net, 1;
|
||||
$net eq ALLIPv4 ? '' : "-s $net ";
|
||||
}
|
||||
}
|
||||
@ -1209,10 +1172,10 @@ sub match_dest_net( $ ) {
|
||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
validate_net $net;
|
||||
validate_net $net, 1;
|
||||
"-d ! $net ";
|
||||
} else {
|
||||
validate_net $net;
|
||||
validate_net $net, 1;
|
||||
$net eq ALLIPv4 ? '' : "-d $net ";
|
||||
}
|
||||
}
|
||||
@ -1228,10 +1191,10 @@ sub match_orig_dest ( $ ) {
|
||||
|
||||
if ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
validate_net $net;
|
||||
validate_net $net, 1;
|
||||
"-m conntrack --ctorigdst ! $net ";
|
||||
} else {
|
||||
validate_net $net;
|
||||
validate_net $net, 1;
|
||||
$net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net ";
|
||||
}
|
||||
}
|
||||
|
@ -328,8 +328,8 @@ EOF
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
interface=/proc/sys/net/ipv4/conf/$interface
|
||||
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
|
||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
[ -f $f ] && echo 0 > $f
|
||||
done < ${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
|
@ -322,6 +322,7 @@ sub initialize() {
|
||||
SHOREWALL_COMPILER => undef,
|
||||
EXPAND_POLICIES => undef,
|
||||
KEEP_RT_TABLES => undef,
|
||||
DELETE_THEN_ADD => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -1137,10 +1138,21 @@ sub determine_capabilities( $ ) {
|
||||
qt( "$iptables -N $sillyname" );
|
||||
|
||||
$capabilities{CONNTRACK_MATCH} = qt( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
|
||||
$capabilities{MULTIPORT} = qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" );
|
||||
|
||||
if ( qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
|
||||
$capabilities{MULTIPORT} = 1;
|
||||
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
|
||||
}
|
||||
|
||||
$capabilities{XMULTIPORT} = qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
|
||||
$capabilities{POLICY_MATCH} = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
|
||||
$capabilities{PHYSDEV_MATCH} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" );
|
||||
|
||||
if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
|
||||
$capabilities{PHYSDEV_MATCH} = 1;
|
||||
unless ( $capabilities{KLUDGEFREE} ) {
|
||||
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
|
||||
}
|
||||
}
|
||||
|
||||
if ( qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
|
||||
$capabilities{IPRANGE_MATCH} = 1;
|
||||
@ -1254,7 +1266,7 @@ sub ensure_config_path() {
|
||||
}
|
||||
|
||||
if ( $shorewall_dir ) {
|
||||
$shorewall_dir = getcwd if $shorewall_dir =~ m|(\./*)+|;
|
||||
$shorewall_dir = getcwd if $shorewall_dir =~ m|^(\./*)+$|;
|
||||
$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
|
||||
unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
|
||||
$config{CONFIG_PATH} = join ':', @config_path;
|
||||
@ -1454,8 +1466,9 @@ sub get_configuration( $ ) {
|
||||
default_yes_no 'EXPORTPARAMS' , '';
|
||||
default_yes_no 'EXPAND_POLICIES' , '';
|
||||
default_yes_no 'KEEP_RT_TABLES' , '';
|
||||
default_yes_no 'DELETE_THEN_ADD' , 'Yes';
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
|
||||
|
||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||
|
||||
default 'BLACKLIST_DISPOSITION' , 'DROP';
|
||||
@ -1509,7 +1522,9 @@ sub get_configuration( $ ) {
|
||||
my $file = find_file 'tcstart';
|
||||
fatal_error "Unable to find tcstart file" unless -f $file;
|
||||
$globals{TC_SCRIPT} = $file;
|
||||
} elsif ( $val ne 'internal' ) {
|
||||
} elsif ( $val eq 'internal' ) {
|
||||
$config{TC_ENABLED} = 'Internal';
|
||||
} else {
|
||||
fatal_error "Invalid value ($config{TC_ENABLED}) for TC_ENABLED" unless $val eq 'no';
|
||||
$config{TC_ENABLED} = '';
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ our @EXPORT = qw( ALLIPv4
|
||||
rfc1918_neworks
|
||||
);
|
||||
our @EXPORT_OK = qw( );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# Some IPv4 useful stuff
|
||||
@ -63,16 +63,18 @@ sub valid_address( $ ) {
|
||||
1;
|
||||
}
|
||||
|
||||
sub validate_address( $ ) {
|
||||
my $addr = $_[0];
|
||||
sub validate_address( $$ ) {
|
||||
my ( $addr, $allow_name ) = @_;
|
||||
|
||||
unless ( valid_address $addr ) {
|
||||
fatal_error "Invalid IP Address ($addr)" unless $allow_name;
|
||||
fatal_error "Unknown Host ($addr)" unless defined gethostbyname $addr;
|
||||
}
|
||||
}
|
||||
|
||||
sub validate_net( $ ) {
|
||||
sub validate_net( $$ ) {
|
||||
my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
|
||||
my $allow_name = $_[1];
|
||||
|
||||
fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
|
||||
|
||||
@ -82,7 +84,7 @@ sub validate_net( $ ) {
|
||||
fatal_error "Invalid IP address ($net)" unless valid_address $net;
|
||||
} else {
|
||||
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
|
||||
validate_address $net;
|
||||
validate_address $net, $_[1];
|
||||
}
|
||||
}
|
||||
|
||||
@ -115,8 +117,8 @@ sub encodeaddr( $ ) {
|
||||
sub validate_range( $$ ) {
|
||||
my ( $low, $high ) = @_;
|
||||
|
||||
fatal_error "Invalid IP address ($low)" unless valid_address $low;
|
||||
fatal_error "Invalid IP address ($high)" unless valid_address $high;
|
||||
validate_address $low, 0;
|
||||
validate_address $high, 0;
|
||||
|
||||
my $first = decodeaddr $low;
|
||||
my $last = decodeaddr $high;
|
||||
@ -130,12 +132,12 @@ sub ip_range_explicit( $ ) {
|
||||
|
||||
my ( $low, $high ) = split /-/, $range;
|
||||
|
||||
fatal_error "Invalid IP address ($low)" unless valid_address $low;
|
||||
validate_address $low, 0;
|
||||
|
||||
push @result, $low;
|
||||
|
||||
if ( defined $high ) {
|
||||
fatal_error "Invalid IP address ($high)" unless valid_address $high;
|
||||
validate_address $high, 0;
|
||||
|
||||
my $first = decodeaddr $low;
|
||||
my $last = decodeaddr $high;
|
||||
@ -156,7 +158,7 @@ sub validate_host( $ ) {
|
||||
if ( $host =~ /^(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) {
|
||||
validate_range $1, $2;
|
||||
} else {
|
||||
validate_net( $host );
|
||||
validate_net( $host, 0 );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -165,6 +165,8 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
|
||||
fatal_error "Duplicate provider ($table)" if $providers{$table};
|
||||
|
||||
$number = numeric_value $number;
|
||||
|
||||
for my $providerref ( values %providers ) {
|
||||
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
|
||||
}
|
||||
@ -207,7 +209,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
"fi\n" );
|
||||
$gateway = '$gateway';
|
||||
} elsif ( $gateway && $gateway ne '-' ) {
|
||||
validate_address $gateway;
|
||||
validate_address $gateway, 0;
|
||||
my $variable = get_interface_address $interface;
|
||||
emit "run_ip route replace $gateway src $variable dev $interface table $number";
|
||||
emit "run_ip route add default via $gateway dev $interface table $number";
|
||||
@ -234,18 +236,15 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
|
||||
}
|
||||
|
||||
my $pref = 10000 + $val;
|
||||
my $pref = 10000 + $number - 1;
|
||||
|
||||
emit ( "qt ip rule del fwmark $mark",
|
||||
"run_ip rule add fwmark $mark pref $pref table $number",
|
||||
emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
|
||||
"echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
||||
);
|
||||
}
|
||||
|
||||
$providers{$table} = {};
|
||||
$providers{$table}{number} = $number;
|
||||
$providers{$table}{mark} = $val;
|
||||
|
||||
my ( $loose, $optional ) = (0,0);
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
@ -269,28 +268,30 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$providers{$table}{optional} = $optional;
|
||||
$providers{$table} = { number => $number , mark => $val , optional => $optional };
|
||||
|
||||
if ( $loose ) {
|
||||
if ( $config{DELETE_THEN_ADD} ) {
|
||||
emit ( "\nfind_interface_addresses $interface | while read address; do",
|
||||
' qt ip rule del from $address',
|
||||
'done'
|
||||
);
|
||||
}
|
||||
} else {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
emit "\nrulenum=0\n";
|
||||
|
||||
emit ( "find_interface_addresses $interface | while read address; do",
|
||||
' qt ip rule del from $address',
|
||||
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||
emit ( "find_interface_addresses $interface | while read address; do" );
|
||||
emit ( ' qt ip rule del from $address' ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||
' rulenum=$(($rulenum + 1))',
|
||||
'done'
|
||||
);
|
||||
} else {
|
||||
emit ( "\nfind_interface_addresses $interface | while read address; do",
|
||||
' qt ip rule del from $address',
|
||||
'done'
|
||||
);
|
||||
}
|
||||
|
||||
emit "\nprogress_message \" Provider $table ($number) Added\"\n";
|
||||
emit qq(\nprogress_message " Provider $table ($number) Added"\n);
|
||||
|
||||
emit ( "${provider}_is_up=Yes" ) if $optional;
|
||||
|
||||
@ -330,17 +331,25 @@ sub add_an_rtrule( $$$$ ) {
|
||||
|
||||
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
|
||||
|
||||
$dest = $dest eq '-' ? '' : "to $dest";
|
||||
|
||||
if ( $dest eq '-' ) {
|
||||
$dest = 'to ' . ALLIPv4;
|
||||
} else {
|
||||
validate_net( $dest, 0 );
|
||||
$dest = "to $dest";
|
||||
}
|
||||
|
||||
if ( $source eq '-' ) {
|
||||
$source = '';
|
||||
$source = 'from ' . ALLIPv4;
|
||||
} elsif ( $source =~ /:/ ) {
|
||||
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
|
||||
fatal_error "Invalid SOURCE" if defined $remainder;
|
||||
validate_net ( $source, 0 );
|
||||
$source = "iif $interface from $source";
|
||||
} elsif ( $source =~ /\..*\..*/ ) {
|
||||
$source = "from $source";
|
||||
} else {
|
||||
validate_net ( $source, 0 );
|
||||
$source = "iif $source";
|
||||
}
|
||||
|
||||
@ -348,7 +357,7 @@ sub add_an_rtrule( $$$$ ) {
|
||||
|
||||
$priority = "priority $priority";
|
||||
|
||||
emit ( "qt ip rule del $source $dest $priority" );
|
||||
emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
my ( $base, $optional, $number ) = ( chain_base( $provider ), $providers{$provider}{optional} , $providers{$provider}{number} );
|
||||
|
||||
|
@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
|
||||
dump_rule_chains
|
||||
);
|
||||
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
|
||||
@ -373,7 +373,7 @@ sub process_criticalhosts() {
|
||||
my @hosts;
|
||||
|
||||
for my $host ( split /,/, $hosts ) {
|
||||
validate_net $host;
|
||||
validate_net $host, 1;
|
||||
push @hosts, "$interface:$host";
|
||||
}
|
||||
|
||||
@ -419,7 +419,7 @@ sub process_routestopped() {
|
||||
my @hosts;
|
||||
|
||||
for my $host ( split /,/, $hosts ) {
|
||||
validate_net $host;
|
||||
validate_net $host, 1;
|
||||
push @hosts, "$interface:$host";
|
||||
}
|
||||
|
||||
@ -1399,10 +1399,10 @@ sub process_rules() {
|
||||
}
|
||||
|
||||
#
|
||||
# To quote an old comment, "generate_matrix makes a sows ear out of a silk purse".
|
||||
# To quote an old comment, "generate_matrix makes a sow's ear out of a silk purse".
|
||||
#
|
||||
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
|
||||
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this functions and the rules that it generates.
|
||||
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
|
||||
#
|
||||
# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
|
||||
#
|
||||
|
@ -274,17 +274,16 @@ sub process_tc_rule( $$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( ( my $result = expand_rule(
|
||||
ensure_chain( 'mangle' , $chain ) ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
"-j $target $mark" ,
|
||||
'' ,
|
||||
'' ,
|
||||
'' ) )
|
||||
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) . do_tos( $tos ) ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
"-j $target $mark" ,
|
||||
'' ,
|
||||
'' ,
|
||||
'' ) )
|
||||
&& $device ) {
|
||||
#
|
||||
# expand_rule() returns destination device if any
|
||||
@ -316,7 +315,7 @@ sub calculate_r2q( $ ) {
|
||||
sub calculate_quantum( $$ ) {
|
||||
my ( $rate, $r2q ) = @_;
|
||||
$rate = rate_to_kbit $rate;
|
||||
eval "int( ( $rate * 125 ) / $r2q )";
|
||||
int( ( $rate * 125 ) / $r2q );
|
||||
}
|
||||
|
||||
sub validate_tc_device( $$$ ) {
|
||||
@ -325,12 +324,9 @@ sub validate_tc_device( $$$ ) {
|
||||
fatal_error "Duplicate device ($device)" if $tcdevices{$device};
|
||||
fatal_error "Invalid device name ($device)" if $device =~ /[:+]/;
|
||||
|
||||
rate_to_kbit $inband;
|
||||
rate_to_kbit $outband;
|
||||
|
||||
$tcdevices{$device} = {};
|
||||
$tcdevices{$device}{in_bandwidth} = $inband;
|
||||
$tcdevices{$device}{out_bandwidth} = $outband;
|
||||
$tcdevices{$device}{in_bandwidth} = rate_to_kbit( $inband ) . 'kbit';
|
||||
$tcdevices{$device}{out_bandwidth} = rate_to_kbit( $outband ) . 'kbit';
|
||||
|
||||
push @tcdevices, $device;
|
||||
|
||||
@ -366,7 +362,7 @@ sub validate_tc_class( $$$$$$ ) {
|
||||
$tcclasses{$device} = {} unless $tcclasses{$device};
|
||||
my $tcref = $tcclasses{$device};
|
||||
|
||||
fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ && numeric_value( $mark ) < 0xff;
|
||||
fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ && numeric_value( $mark ) <= 0xff;
|
||||
|
||||
my $markval = numeric_value( $mark );
|
||||
fatal_error "Duplicate Mark ($mark)" if $tcref->{$markval};
|
||||
|
@ -64,7 +64,7 @@ our @EXPORT = qw( NOTHING
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.03';
|
||||
our $VERSION = '4.04';
|
||||
|
||||
#
|
||||
# IPSEC Option types
|
||||
@ -132,7 +132,7 @@ our %reservedName = ( all => 1,
|
||||
#
|
||||
our @interfaces;
|
||||
our %interfaces;
|
||||
our @bridges;
|
||||
our @bport_zones;
|
||||
|
||||
#
|
||||
# Initialize globals -- we take this novel approach to globals initialization to allow
|
||||
@ -150,7 +150,7 @@ sub initialize() {
|
||||
|
||||
@interfaces = ();
|
||||
%interfaces = ();
|
||||
@bridges = ();
|
||||
@bport_zones = ();
|
||||
}
|
||||
|
||||
INIT {
|
||||
@ -283,6 +283,7 @@ sub determine_zones()
|
||||
} elsif ( $type =~ /^bport4?$/i ) {
|
||||
warning_message "Bridge Port zones should have a parent zone" unless @parents;
|
||||
$type = 'bport4';
|
||||
push @bport_zones, $zone;
|
||||
} elsif ( $type eq 'firewall' ) {
|
||||
fatal_error 'Firewall zone may not be nested' if @parents;
|
||||
fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
|
||||
@ -746,7 +747,6 @@ sub validate_interfaces_file( $ )
|
||||
if ( $options{bridge} ) {
|
||||
require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
|
||||
fatal_error "Bridges may not have wildcard names" if $wildcard;
|
||||
push @bridges, $interface;
|
||||
}
|
||||
} elsif ( $port ) {
|
||||
$options{port} = 1;
|
||||
@ -759,6 +759,7 @@ sub validate_interfaces_file( $ )
|
||||
my @networks;
|
||||
|
||||
if ( $options{detectnets} ) {
|
||||
warning_message "Support for the 'detectnets' option will be removed from Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians'";
|
||||
fatal_error "The 'detectnets' option is not allowed on a multi-zone interface" unless $zone;
|
||||
fatal_error "The 'detectnets' option may not be used with a wild-card interface name" if $wildcard;
|
||||
fatal_error "The 'detectnets' option may not be used with the '-e' compiler option" if $export;
|
||||
@ -844,10 +845,10 @@ sub find_interface( $ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Returns true if there are bridges defined in the config
|
||||
# Returns true if there are bridge port zones defined in the config
|
||||
#
|
||||
sub have_bridges() {
|
||||
@bridges > 0;
|
||||
@bport_zones > 0;
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -6,8 +6,8 @@ delete_proxyarp() {
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
|
||||
interface=/proc/sys/net/ipv4/conf/$interface
|
||||
[ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
|
||||
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
[ -f $f ] && echo 0 > $f
|
||||
done < ${VARDIR}/proxyarp
|
||||
fi
|
||||
|
||||
|
@ -178,8 +178,8 @@ __EOF__
|
||||
|
||||
eval ${table}_mark=$mark
|
||||
|
||||
[ -n "$DELETE_THEN_ADD" ] && qt ip rule del fwmark $mark
|
||||
indent >&3 << __EOF__
|
||||
qt ip rule del fwmark $mark
|
||||
run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number
|
||||
echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing
|
||||
__EOF__
|
||||
@ -225,13 +225,17 @@ __EOF__
|
||||
rulenum=0
|
||||
|
||||
find_interface_addresses $interface | while read address; do
|
||||
qt ip rule del from \$address
|
||||
__EOF__
|
||||
|
||||
[ -n "$DELETE_THEN_ADD" ] && save_command " qt ip rule del from \$address"
|
||||
|
||||
indent >&3 << __EOF__
|
||||
run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number
|
||||
echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing
|
||||
rulenum=\$((\$rulenum + 1))
|
||||
done
|
||||
__EOF__
|
||||
else
|
||||
elif [ -n "$DELETE_THEN_ADD" ]; then
|
||||
indent >&3 << __EOF__
|
||||
|
||||
find_interface_addresses $interface | while read address; do
|
||||
@ -269,7 +273,7 @@ __EOF__
|
||||
|
||||
for p in $PROVIDERS main; do
|
||||
[ "$p" = "$1" ] && return 0
|
||||
eval n=\$${p}_number}
|
||||
eval n=\$${p}_number
|
||||
[ "$n" = "$1" ] && return 0
|
||||
done
|
||||
|
||||
@ -285,17 +289,23 @@ __EOF__
|
||||
|
||||
[ -n "${source}${dest}" ] || fatal_error "You must specify either the source or destination in an rt rule: \"$rule\""
|
||||
|
||||
[ -n "$source" ] && case $source in
|
||||
*:*)
|
||||
source="iif ${source%:*} from ${source#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
source="from $source"
|
||||
;;
|
||||
*)
|
||||
source="iif $source"
|
||||
;;
|
||||
esac
|
||||
[ -n "${dest:=to 0.0.0.0/0}" ]
|
||||
|
||||
if [ -n "$source" ]; then
|
||||
case $source in
|
||||
*:*)
|
||||
source="iif ${source%:*} from ${source#*:}"
|
||||
;;
|
||||
*.*.*)
|
||||
source="from $source"
|
||||
;;
|
||||
*)
|
||||
source="iif $source"
|
||||
;;
|
||||
esac
|
||||
else
|
||||
source='from 0.0.0.0/0'
|
||||
fi
|
||||
|
||||
case "$priority" in
|
||||
[0-9][0-9][0-9][0-9]|[0-9][0-9][0-9][0-9][0-9])
|
||||
@ -307,7 +317,7 @@ __EOF__
|
||||
|
||||
priority="priority $priority"
|
||||
|
||||
save_command "qt ip rule del $source $dest $priority"
|
||||
[ -n "$DELETE_THEN_ADD" ] && save_command "qt ip rule del $source $dest $priority"
|
||||
save_command "run_ip rule add $source $dest $priority table $provider"
|
||||
indent >&3 << __EOF__
|
||||
echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing
|
||||
|
@ -20,7 +20,7 @@
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# This module provides interfaces for dealing with IPv4 addresses.
|
||||
# This module provides interfaces for dealing with IPv6 addresses.
|
||||
#
|
||||
package Shorewall::IPAddrs;
|
||||
require Exporter;
|
||||
|
Loading…
Reference in New Issue
Block a user