From 7ddf61f0b3fcb450ae7b1228db5880ec574d83a3 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 16 May 2004 17:52:54 +0000 Subject: [PATCH] Shorewall 2.0.2a plus restore tweaks git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1332 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 63 +--------- Shorewall2/fallback.sh | 2 +- Shorewall2/firewall | 95 ++++++++------- Shorewall2/functions | 49 ++++++++ Shorewall2/install.sh | 2 +- Shorewall2/releasenotes.txt | 227 ++---------------------------------- Shorewall2/shorewall | 2 +- Shorewall2/shorewall.spec | 4 +- Shorewall2/uninstall.sh | 2 +- 9 files changed, 122 insertions(+), 324 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 7d9d10013..99cea9575 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -1,61 +1,8 @@ -Changes since 2.0.1 +Changes since 2.0.2 -1) Reformat the code in define_firewall(). +1) Remove restore files; don't generate them for non-statechanging + commands. -2) Reimplement dynamic zones. +2) Restore file now loads kernel modules. -3) Tweak new dynamic zone implementation. - -4) Implement CONFIG_PATH. - -5) Apply Stijn Jonker's fix for CONFIG_PATH. - -6) Restore logic to make 'find_file' check for SHOREWALL_DIR separately. - -7) Allow CONFIG_PATH to be inherited. - -8) Fix ensure_config_path call. - -9) Make LOCAL and ALL INTERFACES independent in the nat file. - -10) Add "ko.gz" to the vast list of module suffixes that distributions - have invented. - -11) Update the bogons file - -12) Added example for log rate limiting knobs in shorewall.conf. - -13) Fix init.debian.sh. - -14) Implement the -q option. - -15) Add saved configuration support (iptables-save/iptables-restore - integration). - -16) Use modprobe if it is available. - -17) Lots of fixes to 'save' - -18) 'shorewall forget' - -19) SNAT/MASQUERADE by proto/port(s) - -20) Shorewall 2.0.2 Beta 1 changes. - -21) Fix ALL INTERFACES column parsing. - -22) Correct "shorewall delete" processing. - -23) Apply Alex Wilms's patch for install.sh - -24) Add ACCEPT+ and NONAT targets. - -25) Added 'initialized' extension script. - -26) Renamed 'initialized' to 'initdone' - -27) Applied Stijn Jonker's fix for "shorewall add" - -28) Correct typo that broke "shorewall delete" - -29) Apply Stijn Jonker's -q fix. +3) Minor tweaks to the restore mechanism. \ No newline at end of file diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index 3b6886011..dc08c193c 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.0.2 +VERSION=2.0.2a usage() # $1 = exit status { diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 469074252..3716449d9 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -87,6 +87,7 @@ startup_error() # $* = Error Message echo " Error: $@" >&2 my_mutex_off [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + rm -f /var/lib/shorewall/restore-$$ kill $$ exit 2 } @@ -135,9 +136,9 @@ ensure_and_save_command() # Append a file to /var/lib/shorewall/restore-$$ # append_file() { - save_command "cat > $STATEDIR/$1 << EOF" + save_command "cat > $STATEDIR/$1 << __EOF__" cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$ - save_command EOF + save_command __EOF__ } # @@ -1177,6 +1178,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING # setup_forwarding() { + + save_command "echo Restoring IP Forwarding..." + case "$IP_FORWARDING" in [Oo][Nn]) run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" @@ -1197,6 +1201,7 @@ disable_ipv6() { if [ -n "$foo" ]; then if qt which ip6tables; then + save_command "echo Disabling IPV6..." ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP ip6tables -P INPUT DROP && save_command ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP && save_command ip6tables -P OUTPUT DROP @@ -1213,6 +1218,9 @@ stop_firewall() { # # Turn off trace unless we were tracing "stop" or "clear" # + + rm -f /var/lib/shorewall/restore-$$ + case $COMMAND in stop|clear) ;; @@ -1222,8 +1230,6 @@ stop_firewall() { ;; *) set +x - rm -f /var/lib/shorewall/restore-$$ - if [ -f /var/lib/shorewall/restore ]; then echo Restoring Shorewall... . /var/lib/shorewall/restore @@ -1638,6 +1644,8 @@ setup_proxy_arp() { > ${STATEDIR}/proxyarp + save_command "echo Restoring Proxy ARP..." + while read address interface external haveroute persistent; do expandv address interface external haveroute persistent setup_one_proxy_arp @@ -1838,6 +1846,8 @@ setup_nat() { # > ${STATEDIR}/nat + save_command "echo Restoring one-to-one NAT..." + while read external interface internal allints localnat; do expandv external interface internal allints localnat @@ -2093,6 +2103,8 @@ setup_tc1() { run_iptables -t mangle -A OUTPUT -j tcout run_user_exit tcstart + + save_command "echo Restoring Traffic Control..." save_command . $(find_file tcstart) } @@ -2325,6 +2337,7 @@ check_config() { process_actions2 rm -rf $TMP_DIR + rm -f /var/lib/shorewall/restore-$$ echo "Configuration Validated" @@ -3842,42 +3855,6 @@ process_tos() # $1 = name of tos file run_iptables -t mangle -A OUTPUT -j outtos } -# -# Load a Kernel Module -# -loadmodule() # $1 = module name, $2 - * arguments -{ - local modulename=$1 - local modulefile - local suffix - moduleloader=modprobe - - if ! qt which modprobe; then - moduleloader=insmod - fi - - if [ -z "$(lsmod | grep $modulename)" ]; then - shift - - for suffix in $MODULE_SUFFIX ; do - modulefile=$MODULESDIR/${modulename}.${suffix} - - if [ -f $modulefile ]; then - case $moduleloader in - insmod) - insmod $modulefile $* - ;; - *) - modprobe $modulename - ;; - esac - - return - fi - done - fi -} - # # Display elements of a list with leading white space # @@ -4318,7 +4295,7 @@ setup_masq() strip_file masq $1 - [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" + [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_command "echo Restoring Masquerading/SNAT..." while read fullinterface networks addresses proto ports; do expandv fullinterface networks addresses proto ports @@ -4540,6 +4517,8 @@ add_ip_aliases() set -- $aliases_to_add + save_command "echo Restoring IP Addresses..." + while [ $# -gt 0 ]; do external=$1 interface=$2 @@ -4570,6 +4549,22 @@ load_kernel_modules() { if [ -f $modules -a -d $MODULESDIR ]; then echo "Loading Modules..." . $modules + + if [ "$command" != check ]; then + + save_command "echo Loading kernel modules..." + save_command "reload_kernel_modules <<__EOF__" + + while read command; do + case "$command" in + loadmodule*) + save_command $command + ;; + esac + done < $modules + + save_command __EOF__ + fi fi } @@ -5033,6 +5028,8 @@ add_common_rules() { # # ARP Filtering # + save_command "echo Restoring ARP filtering..." + for f in /proc/sys/net/ipv4/conf/*/arp_filter; do run_and_save_command "echo 0 > $f" done @@ -5060,6 +5057,8 @@ add_common_rules() { if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then echo "Setting up Kernel Route Filtering..." + save_command "echo Restoring Route Filtering..." + for f in /proc/sys/net/ipv4/conf/*/rp_filter; do run_and_save_command "echo 0 > $f" done @@ -5420,6 +5419,14 @@ define_firewall() # $1 = Command (Start or Restart) verify_os_version verify_ip + + echo '#bin/sh' > /var/lib/shorewall/restore-$$ + save_command "# Restore base file generated $(date)" + save_command ". /usr/share/shorewall/functions" + + save_command "MODULESDIR=\"$MODULESDIR\"" + save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\"" + load_kernel_modules echo "Initializing..."; initialize_netfilter @@ -5472,7 +5479,9 @@ define_firewall() # $1 = Command (Start or Restart) save_command "date > $STATEDIR/restarted" - save_command 'iptables-restore << EOF' + save_command "echo Restoring Netfilter Configuration..." + + save_command 'iptables-restore << __EOF__' # 'shorewall save' appends the iptables-save output and 'EOF' @@ -6078,8 +6087,6 @@ do_initialize() { rm -f $TMP_DIR/physdev - echo '#bin/sh' > /var/lib/shorewall/restore-$$ - echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$ } # diff --git a/Shorewall2/functions b/Shorewall2/functions index a856a3d32..57f079376 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -162,6 +162,55 @@ separate_list() { echo "$newlist" } +# +# Load a Kernel Module +# +loadmodule() # $1 = module name, $2 - * arguments +{ + local modulename=$1 + local modulefile + local suffix + moduleloader=modprobe + + if ! qt which modprobe; then + moduleloader=insmod + fi + + if [ -z "$(lsmod | grep $modulename)" ]; then + shift + + for suffix in $MODULE_SUFFIX ; do + modulefile=$MODULESDIR/${modulename}.${suffix} + + if [ -f $modulefile ]; then + case $moduleloader in + insmod) + insmod $modulefile $* + ;; + *) + modprobe $modulename $* + ;; + esac + + return + fi + done + fi +} + +# +# Reload the Modules +# +reload_kernel_modules() { + + [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter + + while read command; do + eval $command + done + +} + # # Find the zones # diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index e87fd8e70..54959295a 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.0.2 +VERSION=2.0.2a usage() # $1 = exit status { diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 49dda9546..123f60e8d 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,227 +1,20 @@ -Shorewall 2.0.2 +Shorewall 2.0.3 Beta 1 ---------------------------------------------------------------------- -Problems Corrected since 2.0.1 +Problems Corrected since 2.0.2 -1) The /etc/init.d/shorewall script installed on Debian by install.sh - failed silently due to a missing file - (/usr/share/shorewall/wait4ifup). That file is not part of the - normal Shorewall distribution and is provided by the Debian - maintainer. +1) The 'firewall' script is not purging temporary restore files in + /var/lib/shorewall. These files have names of the form + "restore-nnnnn". -2) A meaningless warning message out of the proxyarp file processing - has been eliminated. - -3) The "shorewall delete" command now correctly removes all dynamic - rules pertaining to the host(s) being deleted. Thanks to Stefan - Engel for this correction. +2) The /var/lib/shorewall/restore script did not load the kernel + modules specified in /etc/shorewall/modules. ----------------------------------------------------------------------- -Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: +Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: -1) Extension Scripts - - In order for extension scripts to work properly with the new - iptables-save/restore integration (see New Feature 1 below), some - change may be required to your extension scripts. - - If your extension scripts are executing commands other than iptables - then those commands must also be written to the restore file (a - temporary file in /var/lib/shorewall that is renamed - /var/lib/shorewall/restore-base at the end of the operation). - - The following functions should be of help: - - A. save_command() -- saves the passed command to the restore file. - - Example: - - save_command echo Operation Complete - - That command would simply write "echo Operation Complete" to the - restore file. - - B. run_and_save_command() -- saves the passed command to the restore - file then executes it. The return value is the exit status of the - command. - - Example: - - run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" - - Note that as in this example, when the command involves file - redirection then the entire command must be enclosed in quotes. This - applies to all of the functions described here. - - C. ensure_and_save_command() -- runs the passed command. If the - command fails, the firewall is restored to it's prior saved state - and the operation is terminated. If the command succeeds, the - command is written to the restore file. - -2) Dynamic Zone support. - - If you don't need to use the "shorewall add" and "shorewall delete" - commands, you should set DYNAMIC_ZONES=No in - /etc/shorewall/shorewall.conf. +None. New Features: -1) Shorewall has now been integrated with - iptables-save/iptables-restore to provide very fast start and - restart. The elements of this integration are as follows: - - a) The 'shorewall save' command now saves the current configuration - in addition to the current dynamic blacklist. If you have - dynamic zones, you will want to issue 'shorewall save' when the - zones are empty or the current contents of the zones will be - restored by the 'shorewall restore' and 'shorewall -f start' - commands. - - b) The 'shorewall restore' command has been added. This command - restores the configuration at the time of the last 'save'. - - c) The -f (fast) option has been added to 'shorewall start'. When - specified (e.g. 'shorewall -f start'), shorewall will perform a - 'shorewall restore' if there is a saved configuration. If there - is no saved configuration, a normal 'shorewall start' is - performed. - - d) The /etc/init.d/shorewall script now translates the 'start' - command into 'shorewall -f start' so that fast restart is - possible. - - e) When a state-changing command encounters an error and there is a - current saved configuration, that configuration will be restored - (currently, the firewall is placed in the 'stopped' state). - - f) If you have previously saved the running configuration and want - Shorewall to discard it, use the 'shorewall forget' command. - - WARNING: iptables 1.2.9 is broken with respect to iptables-save; - If your kernel has connection tracking match support, you must - patch iptables 1.2.9 with the iptables patch availale from - the Shorewall errata page. - -2) The previous implementation of dynamic zones was difficult to - maintain. I have changed the code to make dynamic zones optional - under the control of the DYNAMIC_ZONES option in - /etc/shorewall/shorewall.conf. - -3) In earlier Shorewall 2.0 releases, Shorewall searches in order the - following directories for configuration files. - - a) The directory specified in a 'try' command or specified using - the -c option. - - b) /etc/shorewall - - c) /usr/share/shorewall - - In this release, the CONFIG_PATH option is added to shorewall.conf. - CONFIG_PATH contains a list of directory names separated by colons - (":"). If not set or set to a null value (e.g., CONFIG_PATH="") then - "CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. - - Now Shorewall searches for shorewall.conf according to the old - rules and for other configuration files as follows: - - a) The directory specified in a 'try' command or specified using - the -c option. - - b) Each directory in $CONFIG_PATH is searched in sequence. - - In case it is not obvious, your CONFIG_PATH should include - /usr/share/shorewall and your shorewall.conf file must be in the - directory specified via -c or in a try command, in /etc/shorewall - or in /usr/share/shorewall. - - For distribution packagers, the default CONFIG_PATH is set in - /usr/share/shorewall/configpath. You can customize this file to - have a default that differs from mine. - -4) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column - would only take effect if the ALL INTERFACES column also contained - Yes or yes. Now, the LOCAL columns contents are treated - independently of the contents of the ALL INTERFACES column. - -5) The folks at Mandrake have created yet another kernel module - naming convention (module names end in "ko.gz"). As a consequence, - beginning with this release, if MODULE_SUFFIX isn't specified in - shorewall.conf, then the default value is "o gz ko o.gz ko.gz". - -6) An updated bogons file is included in this release. - -7) In /etc/shorewall/rules and in action files generated from - /usr/share/shorewall/action.template, rules that perform logging can - specify an optional "log tag". A log tag is a string of alphanumeric - characters and is specified by following the log level with ":" and - the log tag. - - Example: - - ACCEPT:info:ftp net dmz tcp 21 - - The log tag is appended to the log prefix generated by the LOGPREFIX - variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log - prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will - generate "Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). - The maximum length of a log prefix supported by iptables is 29 - characters; if a larger prefix is generated, Shorewall will issue a - warning message and will truncate the prefix to 29 characters. - -8) A new "-q" option has been added to /sbin/shorewall commands. It - causes the start, restart, check and refresh commands to produce - much less output so that warning messages are more visible (when - testing this change, I discovered a bug where a bogus warning - message was being generated). - -9) Shorewall now uses 'modprobe' to load kernel modules if that utility - is available in the PATH; otherwise, 'insmod' is used. - -10) It is now possible to restrict entries in the /etc/shorewall/masq - file to particular protocols and destination port(s). Two new - columns (PROTO and PORT(S)) have been added to the file. - - Example: - - You want all outgoing SMTP traffic entering the firewall - on eth1 to be sent from eth0 with source IP address - 206.124.146.177. You want all other outgoing traffic - from eth1 to be sent from eth0 with source IP address - 206.124.146.176. - - eth0 eth1 206.124.146.177 tcp 25 - eth0 eth1 206.124.146.176 - - THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! - - Assuming that 10.0.0.0/8 is the only host/network connected - to eth1, the progress message at "shorewall start" would be: - - Masqueraded Networks and Hosts: - To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177 - To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176 - -11) Two new actions are available in the /etc/shorewall/rules file. - - ACCEPT+ -- Behaves like ACCEPT with the exception that it exempts - matching connections from subsequent DNAT[-] and - REDIRECT[-] rules. - - NONAT -- Exempts matching connections from subsequent DNAT[-] - and REDIRECT[-] rules. - -12) A new extension script 'initdone' has been added. This script is invoked - at the same point as the 'common' script was previously and is useful for - users who mis-used that script under Shorewall 1.x (the script was intended - for adding rules to the 'common' chain but many users treated it as a script - for adding rules before Shorewall's). - -13) Installing/Upgrading Shorewall on Slackware has been - improved. Slackware users must use the tarball and must modify - settings in the install.sh script before running it as follows: - - DEST="/etc/rc.d" - INIT="rc.firewall" - - Thanks to Alex Wilms for helping with this change. +None. \ No newline at end of file diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index 0883fce27..e7d33b1a3 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -974,7 +974,7 @@ case "$1" in if [ -f /var/lib/shorewall/restore-base ]; then cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$ if iptables-save >> /var/lib/shorewall/restore-$$ ; then - echo EOF >> /var/lib/shorewall/restore-$$ + echo __EOF__ >> /var/lib/shorewall/restore-$$ mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore chmod +x /var/lib/shorewall/restore echo " Currently-running Configuration Saved" diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index b69ba0778..84bd50feb 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 2.0.2 +%define version 2.0.2a %define release 1 %define prefix /usr @@ -141,6 +141,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sat May 15 2004 Tom Eastep tom@shorewall.net +- Updated for 2.0.2a-1 * Thu May 13 2004 Tom Eastep tom@shorewall.net - Updated for 2.0.2-1 * Mon May 10 2004 Tom Eastep tom@shorewall.net diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index e09e75742..28c45eb8c 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.0.2 +VERSION=2.0.2a usage() # $1 = exit status {