From 833e54c9c3216b38efd46ba01a80cc8ffb6a61cd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 2 Aug 2012 11:02:17 -0700 Subject: [PATCH] Rename the notrack file to conntrack Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 2 + Shorewall/Perl/Shorewall/Raw.pm | 12 +- Shorewall/configfiles/conntrack | 22 ++++ Shorewall/configfiles/notrack | 9 -- Shorewall/install.sh | 12 +- ...ll-notrack.xml => shorewall-conntrack.xml} | 104 +++++++++------- Shorewall6/configfiles/conntrack | 22 ++++ Shorewall6/configfiles/notrack | 9 -- Shorewall6/configfiles/shorewall6.conf | 4 +- ...6-notrack.xml => shorewall6-conntrack.xml} | 112 ++++++++++-------- 10 files changed, 186 insertions(+), 122 deletions(-) create mode 100644 Shorewall/configfiles/conntrack delete mode 100644 Shorewall/configfiles/notrack rename Shorewall/manpages/{shorewall-notrack.xml => shorewall-conntrack.xml} (68%) create mode 100644 Shorewall6/configfiles/conntrack delete mode 100644 Shorewall6/configfiles/notrack rename Shorewall6/manpages/{shorewall6-notrack.xml => shorewall6-conntrack.xml} (62%) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ce92a9952..4dfbc95ee 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -322,6 +322,7 @@ our %config_files = ( #accounting => 1, actions => 1, blacklist => 1, clear => 1, + conntrack => 1, ecn => 1, findgw => 1, hosts => 1, @@ -345,6 +346,7 @@ our %config_files = ( #accounting => 1, route_rules => 1, routes => 1, routestopped => 1, + rtrules => 1, rules => 1, scfilter => 1, secmarks => 1, diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index ba3d2f43f..4a64ee23a 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -124,7 +124,17 @@ sub setup_notrack() { my $format = 1; my $action = 'NOTRACK'; - if ( my $fn = open_file 'notrack' ) { + my $fn = open_file( 'notrack' ); + + if ( $fn ) { + if ( -f ( my $fn1 = find_file 'conntrack' ) ) { + warning_message "Both $fn and $fn1 exist: $fn1 will be ignored"; + } + } else { + $fn = open_file( 'conntrack' ); + } + + if ( $fn ) { first_entry "$doing $fn..."; diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack new file mode 100644 index 000000000..d749633f9 --- /dev/null +++ b/Shorewall/configfiles/conntrack @@ -0,0 +1,22 @@ +# +# Shorewall version 4 - conntrack File +# +# For information about entries in this file, type "man shorewall-conntrack" +# +############################################################################################# +FORMAT 2 +#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ +# PORT(S) PORT(S) GROUP +?IF $AUTOHELPERS && __CT_TARGET +CT:helper:ftp all - tcp 21 +CT:helper:amanda all - udp 10080 +CT:helper:RAS all - udp 1719 #H323 +CT:helper:sip all - udp 5060 +CT:helper:tftp all - udp 69 +CT:helper:sane all - tcp 6566 +?IF __IPV4 +CT:helper:irc all - tcp 6667 +CT:helper:netbios-ns all - udp 137 +CT:helper:pptp all - tcp 1729 +?ENDIF +?ENDIF diff --git a/Shorewall/configfiles/notrack b/Shorewall/configfiles/notrack deleted file mode 100644 index 9f3b5a171..000000000 --- a/Shorewall/configfiles/notrack +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall version 4 - Notrack File -# -# For information about entries in this file, type "man shorewall-notrack" -# -##################################################################################### -FORMAT 2 -#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ -# PORT(S) PORT(S) GROUP diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 292a4b799..9d087a84b 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -634,14 +634,14 @@ if [ -f masq ]; then fi fi # -# Install the Notrack file +# Install the Conntrack file # -run_install $OWNERSHIP -m 0644 notrack ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles -run_install $OWNERSHIP -m 0644 notrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles +run_install $OWNERSHIP -m 0644 conntrack ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles +run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles -if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/notrack ]; then - run_install $OWNERSHIP -m 0600 notrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/notrack - echo "Notrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/notrack" +if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then + run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack + echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack" fi # diff --git a/Shorewall/manpages/shorewall-notrack.xml b/Shorewall/manpages/shorewall-conntrack.xml similarity index 68% rename from Shorewall/manpages/shorewall-notrack.xml rename to Shorewall/manpages/shorewall-conntrack.xml index 7fabb3e12..eb6cdd907 100644 --- a/Shorewall/manpages/shorewall-notrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -3,33 +3,34 @@ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - shorewall6-notrack + shorewall6-conntrack 5 - notrack + conntrack - shorewall notrack file + shorewall conntrack file - /etc/shorewall/notrack + /etc/shorewall/conntrack Description - The original intent of the notrack file was to exempt certain - traffic from Netfilter connection tracking. Traffic matching entries in - this file were not to be tracked. + The original intent of the notrack + file was to exempt certain traffic from Netfilter connection tracking. + Traffic matching entries in the file were not to be tracked. The role of the file was expanded in Shorewall 4.4.27 to include all - rules tht can be added in the Netfilter raw table. + rules that can be added in the Netfilter raw table. In 4.5.7, the file's name was changed to + conntrack. The file supports two different column layouts: FORMAT 1 and FORMAT 2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an @@ -53,63 +54,66 @@ ACTION - {NOTRACK|CT:option[:arg,...]} + role="bold">CT:helper:name[(arg=val[,...])|CT:notrack} This column is only present when FORMAT = 2. Values other than NOTRACK require CT Target support in your iptables and kernel. - Possible values for option and - args are: - - (no - arg) + or + - Disables connection tracking for this packet, the same as - if NOTRACK has been specified in this column. + Disables connection tracking for this packet. :name - Use the helper identified by the name to this connection. - This is more flexible than loading the conntrack helper with - preset ports. - + Attach the helper identified by the + name to this connection. This is more + flexible than loading the conntrack helper with preset ports. + May be followed by an option list of + arg=val + pairs in parentheses: - - :event,... + + + =event[,...] - Only generate the specified conntrack events for this - connection. Possible event types are: new, related, destroy, reply, assured, protoinfo, helper, mark (this is connection mark, not packet - mark), natseqinfo, and - secmark. - + Only generate the specified conntrack events for this + connection. Possible event types are: new, related, destroy, reply, assured, protoinfo, helper, mark (this is connection mark, not + packet mark), natseqinfo, + and secmark. + - - + + - Only generate a new expectation events for this - connection. - + Only generate a new + expectation events for this connection. + - - :id + + =id - Assign this packet to zone id - and only have lookups done in that zone. By default, packets - have zone 0. + Assign this packet to Netfilter security zone + id and only have lookups done in + that zone. By default, packets have zone 0. + + @@ -225,6 +229,14 @@ + + EXAMPLE + + #ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP +# PORT(S) PORT(S) +CT:helper:ftp(expevents=new) fw - tcp 21 + + FILES diff --git a/Shorewall6/configfiles/conntrack b/Shorewall6/configfiles/conntrack new file mode 100644 index 000000000..9dac8015c --- /dev/null +++ b/Shorewall6/configfiles/conntrack @@ -0,0 +1,22 @@ +# +# Shorewall version 4 - conntrack File +# +# For information about entries in this file, type "man shorewall6-conntrack" +# +############################################################################################# +FORMAT 2 +#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ +# PORT(S) PORT(S) GROUP +?IF $AUTOHELPERS && __CT_TARGET +CT:helper:ftp all - tcp 21 +CT:helper:amanda all - udp 10080 +CT:helper:RAS all - udp 1719 #H323 +CT:helper:sip all - udp 5060 +CT:helper:tftp all - udp 69 +CT:helper:sane all - tcp 6566 +?IF __IPV4 +CT:helper:irc all - tcp 6667 +CT:helper:netbios-ns all - udp 137 +CT:helper:pptp all - tcp 1729 +?ENDIF +?ENDIF diff --git a/Shorewall6/configfiles/notrack b/Shorewall6/configfiles/notrack deleted file mode 100644 index 9f3b5a171..000000000 --- a/Shorewall6/configfiles/notrack +++ /dev/null @@ -1,9 +0,0 @@ -# -# Shorewall version 4 - Notrack File -# -# For information about entries in this file, type "man shorewall-notrack" -# -##################################################################################### -FORMAT 2 -#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ -# PORT(S) PORT(S) GROUP diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 4c2c7a587..722b825ed 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -109,7 +109,9 @@ ACCOUNTING_TABLE=filter ADMINISABSENTMINDED=Yes -AUTO_COMMENT=Yes +AUTOCOMMENT=Yes + +AUTOHELPERS=Yes AUTOMAKE=No diff --git a/Shorewall6/manpages/shorewall6-notrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml similarity index 62% rename from Shorewall6/manpages/shorewall6-notrack.xml rename to Shorewall6/manpages/shorewall6-conntrack.xml index c407ba756..a31ab7992 100644 --- a/Shorewall6/manpages/shorewall6-notrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -3,33 +3,34 @@ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - shorewall6-notrack + shorewall6-conntrack 5 - notrack + conntrack - shorewall6 notrack file + shorewall6 conntrack file - /etc/shorewall6/notrack + /etc/shorewall6/conntrack Description - The original intent of the notrack file was to exempt certain - traffic from Netfilter connection tracking. Traffic matching entries in - this file were not to be tracked. + The original intent of the notrack + file was to exempt certain traffic from Netfilter connection tracking. + Traffic matching entries in that file were not to be tracked. The role of the file was expanded in Shorewall 4.4.27 to include all - rules tht can be added in the Netfilter raw table. + rules that can be added in the Netfilter raw table. In 4.5.7, the file's name was changed to + conntrack. The file supports two different column layouts: FORMAT 1 and FORMAT 2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an @@ -52,63 +53,66 @@ ACTION - {NOTRACK|CT:option:args} + role="bold">CT:helper:name[(arg=val[,...])|CT:notrack} This column is only present when FORMAT = 2. Values other than NOTRACK require CT Target support in your iptables and kernel. - Possible values for option and - args are: - - (no - arg) + or + - Disables connection tracking for this packet, the same as - if NOTRACK has been specified in this column. + Disables connection tracking for this packet. :name - Use the helper identified by the name to this connection. - This is more flexible than loading the conntrack helper with - preset ports. - + Attach the helper identified by the + name to this connection. This is more + flexible than loading the conntrack helper with preset ports. + May be followed by an option list of + arg=val + pairs in parentheses: - - :event,... + + + =event[,...] - Only generate the specified conntrack events for this - connection. Possible event types are: new, related, destroy, reply, assured, protoinfo, helper, mark (this is connection mark, not packet - mark), natseqinfo, and - secmark. - + Only generate the specified conntrack events for this + connection. Possible event types are: new, related, destroy, reply, assured, protoinfo, helper, mark (this is connection mark, not + packet mark), natseqinfo, + and secmark. + - - + + - Only generate a new expectation events for this - connection. - + Only generate a new + expectation events for this connection. + - - :id + + =id - Assign this packet to zone id - and only have lookups done in that zone. By default, packets - have zone 0. + Assign this packet to Netfilter security zone + id and only have lookups done in + that zone. By default, packets have zone 0. + + @@ -207,6 +211,14 @@ + + EXAMPLE + + #ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP +# PORT(S) PORT(S) +CT:helper:ftp(expevents=new) fw - tcp 21 + + FILES @@ -223,9 +235,9 @@ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-ipsec(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), - shorewall6-rtrules(5), shorewall6-routestopped(5), - shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), - shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), - shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5) + shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), + shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), + shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), + shorewall6-tunnels(5), shorewall-zones(5)