From c8156cfdb1095e658abb6c030f5eee705fe575df Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 4 Jun 2012 08:00:07 -0700 Subject: [PATCH 1/9] Correct typo Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 7c9ea2cd2..dd9973ca6 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -821,7 +821,7 @@ sub compiler { # # More Optimization # - optimize_ruleset if $config{OPTIIMIZE} & OPTIMIZE_RULESET_MASK; + optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK; } enable_script; From 6bd81145e92a9407646e645aa5c977b3212e4605 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 5 Jun 2012 09:02:12 -0700 Subject: [PATCH 2/9] Fix single-line embedded Perl Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 8e5e68b7c..6625c513f 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -2101,6 +2101,8 @@ sub embedded_perl( $ ) { fatal_error ( "Missing END PERL" ) unless $last; fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/; + } else { + $currentline = ''; } $embedded++; From 49d361e44fec56cc1fd9fbd7dd12f08c79464c1e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 5 Jun 2012 12:52:12 -0700 Subject: [PATCH 3/9] Correct another problem with the Shorewall-core installer Signed-off-by: Tom Eastep --- Shorewall-core/configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-core/configure b/Shorewall-core/configure index 9b205b844..1b1a27ad1 100755 --- a/Shorewall-core/configure +++ b/Shorewall-core/configure @@ -132,7 +132,7 @@ if [ -z "$vendor" ]; then vendor=${params[HOST]} elif [ $vendor = linux ]; then - rcfile=$shorewallrc.default; + rcfile=shorewallrc.default; else rcfile=shorewallrc.$vendor if [ ! -f $rcfile ]; then From 6cd71ef4ddf6ea888f951863e89a9caf0d762ed8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 5 Jun 2012 15:22:08 -0700 Subject: [PATCH 4/9] Fix IPv6 shorecap - copied the CLI program initialization steps to shorecap - Modified install.sh to modify the location of shrorewallrc if needed --- Shorewall-lite/install.sh | 1 + Shorewall-lite/shorecap | 25 +++++++++++++++---------- Shorewall6-lite/shorecap | 25 +++++++++++++++---------- 3 files changed, 31 insertions(+), 20 deletions(-) diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index a4b3a257f..e3a9ec2a5 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -403,6 +403,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions" # install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755 +[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap echo echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap" diff --git a/Shorewall-lite/shorecap b/Shorewall-lite/shorecap index 578f9ad1b..e8e5659ec 100755 --- a/Shorewall-lite/shorecap +++ b/Shorewall-lite/shorecap @@ -45,17 +45,22 @@ # used during firewall compilation, then the generated firewall program will likewise not # require Shorewall to be installed. -SHAREDIR=/usr/share/shorewall-lite -VARDIR=/var/lib/shorewall-lite -CONFDIR=/etc/shorewall-lite -g_program=shorewall-lite -g_product="Shorewall Lite" -g_family=4 -g_base=shorewall -g_basedir=/usr/share/shorewall-lite -. /usr/share/shorewall-lite/lib.base -. /usr/share/shorewall/lib.cli +g_program=shorewall-lite + +# +# This is modified by the installer when ${SHAREDIR} != /usr/share +# +. /usr/share/shorewall/shorewallrc + +g_libexec="$LIBEXECDIR" +g_sharedir="$SHAREDIR"/shorewall-lite +g_sbindir="$SBINDIR" +g_vardir="$VARDIR" +g_confdir="$CONFDIR"/shorewall-lite +g_readrc=1 + +. ${SHAREDIR}/shorewall/lib.cli . /usr/share/shorewall-lite/configpath [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin diff --git a/Shorewall6-lite/shorecap b/Shorewall6-lite/shorecap index af10870ff..27e51c589 100755 --- a/Shorewall6-lite/shorecap +++ b/Shorewall6-lite/shorecap @@ -45,17 +45,22 @@ # used during firewall compilation, then the generated firewall program will likewise not # require Shorewall to be installed. -SHAREDIR=/usr/share/shorewall6-lite -VARDIR=/var/lib/shorewall6-lite -CONFDIR=/etc/shorewall6-lite -g_product="Shorewall6 Lite" -g_family=6 -g_base=shorewall6 -g_basedir=/usr/share/shorewall6-lite +g_program=shorewall6-lite -. /usr/share/shorewall6-lite/lib.base -. /usr/share/shorewall6/lib.cli -. /usr/share/shorewall6-lite/configpath +# +# This is modified by the installer when ${SHAREDIR} != /usr/share +# +. /usr/share/shorewall/shorewallrc + +g_libexec="$LIBEXECDIR" +g_sharedir="$SHAREDIR"/shorewall6-lite +g_sbindir="$SBINDIR" +g_vardir="$VARDIR" +g_confdir="$CONFDIR"/shorewall6-lite +g_readrc=1 + +. ${SHAREDIR}/shorewall/lib.cli +. ${SHAREDIR}/shorewall-lite/configpath [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin From 58a0ebccb220274a65d517dd472977b68a5cbf27 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 5 Jun 2012 17:23:13 -0700 Subject: [PATCH 5/9] Clarify CONFIG_PATH setting using -lite products Signed-off-by: Tom Eastep --- docs/CompiledPrograms.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index 510329e2f..62c4cfedf 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -135,7 +135,8 @@ - CONFIG_PATH=/usr/share/shorewall + Remove /etc/shorewall (/etc/shorewal6) from the setting of + CONFIG_PATH From 21eda5daec7ed054e06696b2b95e26a7c2e6b0c4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Jun 2012 10:50:16 -0700 Subject: [PATCH 6/9] Fix multiple iprange matches without kludgefree. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index c7f70b150..653ed418a 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -747,6 +747,7 @@ sub set_rule_option( $$$ ) { push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value ); } else { + assert( ! reftype $value ); $ruleref->{$option} = join(' ', $value1, $value ) unless $value1 eq $value; } } elsif ( $opttype == EXCLUSIVE ) { @@ -1194,12 +1195,16 @@ sub push_matches { while ( @_ ) { my ( $option, $value ) = ( shift, shift ); - assert( defined $value ); + assert( defined $value && ! reftype $value ); if ( exists $ruleref->{$option} ) { my $curvalue = $ruleref->{$option}; - $ruleref->{$option} = [ $curvalue ] unless reftype $curvalue; - push @{$ruleref->{$option}}, reftype $value ? @$value : $value; + if ( $globals{KLUDGEFREE} ) { + $ruleref->{$option} = [ $curvalue ] unless reftype $curvalue; + push @{$ruleref->{$option}}, reftype $value ? @$value : $value; + } else { + $ruleref->{$option} = join( '', $curvalue, $value ); + } } else { $ruleref->{$option} = $value; $dont_optimize ||= $option =~ /^[piosd]$/ && $value =~ /^!/; @@ -4791,7 +4796,8 @@ sub imatch_source_net( $;$\$ ) { ( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) { my ($addr1, $addr2) = ( $2, $3 ); $net =~ s/!// if my $invert = $1 ? '! ' : ''; - fatal_error "Address Ranges require the Multiple Match capability in your kernel and iptables" unless $globals{KLUDGEFREE}; + validate_range $addr1, $addr2; + require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' ); return ( iprange => "${invert}--src-range $net" ); } From a2a9ef095887d0291f6bdad861658d677f90eb2b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 5 Jun 2012 12:51:52 -0700 Subject: [PATCH 7/9] Rename OPTIMIZE_MASK1 to OPTIMIZE_MASK2n4 Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 8 ++++---- Shorewall/Perl/Shorewall/Compiler.pm | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 653ed418a..feb83f880 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -112,7 +112,7 @@ our %EXPORT_TAGS = ( ALL_COMMANDS NOT_RESTORE OPTIMIZE_POLICY_MASK - OPTIMIZE_POLICY_MASK1 + OPTIMIZE_POLICY_MASK2n4 OPTIMIZE_RULESET_MASK OPTIMIZE_MASK @@ -368,9 +368,9 @@ use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 }; # Optimization masks # use constant { - OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains() - OPTIMIZE_POLICY_MASK1 => 0x06 , - OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset() + OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains() + OPTIMIZE_POLICY_MASK2n4 => 0x06 , + OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset() }; use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK }; diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index dd9973ca6..e96136ebb 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -817,7 +817,7 @@ sub compiler { # # Optimize Policy Chains # - optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK1 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4 + optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4 # # More Optimization # @@ -882,7 +882,7 @@ sub compiler { # # Optimize Policy Chains # - optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK1 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4 + optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4 # # Ruleset Optimization # From 38adf3d18669a9d74d0103f6ded46b90e6268ce7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Jun 2012 14:30:00 -0700 Subject: [PATCH 8/9] Set 'sourceroute=0' on all sample net interfaces Signed-off-by: Tom Eastep --- Shorewall/Samples/one-interface/interfaces | 2 +- Shorewall/Samples/three-interfaces/interfaces | 2 +- Shorewall/Samples/two-interfaces/interfaces | 2 +- Shorewall6/Samples6/Universal/interfaces | 2 +- Shorewall6/Samples6/three-interfaces/interfaces | 2 +- Shorewall6/Samples6/two-interfaces/interfaces | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Shorewall/Samples/one-interface/interfaces b/Shorewall/Samples/one-interface/interfaces index c1e12a113..789388943 100644 --- a/Shorewall/Samples/one-interface/interfaces +++ b/Shorewall/Samples/one-interface/interfaces @@ -14,4 +14,4 @@ FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -net eth0 dhcp,tcpflags,logmartians,nosmurfs +net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0 diff --git a/Shorewall/Samples/three-interfaces/interfaces b/Shorewall/Samples/three-interfaces/interfaces index d455a4c8b..fa9c35a59 100644 --- a/Shorewall/Samples/three-interfaces/interfaces +++ b/Shorewall/Samples/three-interfaces/interfaces @@ -14,6 +14,6 @@ FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -net eth0 tcpflags,dhcp,nosmurfs,routefilter,logmartians +net eth0 tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth1 tcpflags,nosmurfs,routefilter,logmartians dmz eth2 tcpflags,nosmurfs,routefilter,logmartians diff --git a/Shorewall/Samples/two-interfaces/interfaces b/Shorewall/Samples/two-interfaces/interfaces index 74e06cb6b..6df4ab365 100644 --- a/Shorewall/Samples/two-interfaces/interfaces +++ b/Shorewall/Samples/two-interfaces/interfaces @@ -14,5 +14,5 @@ FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians +net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth1 tcpflags,nosmurfs,routefilter,logmartians diff --git a/Shorewall6/Samples6/Universal/interfaces b/Shorewall6/Samples6/Universal/interfaces index 71be605e6..b86de5541 100644 --- a/Shorewall6/Samples6/Universal/interfaces +++ b/Shorewall6/Samples6/Universal/interfaces @@ -11,5 +11,5 @@ FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS - lo ignore -net all dhcp,physical=+,routeback +net all dhcp,physical=+,routeback,sourceroute=0 diff --git a/Shorewall6/Samples6/three-interfaces/interfaces b/Shorewall6/Samples6/three-interfaces/interfaces index 393c544ed..a3499651d 100644 --- a/Shorewall6/Samples6/three-interfaces/interfaces +++ b/Shorewall6/Samples6/three-interfaces/interfaces @@ -14,6 +14,6 @@ FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -net eth0 tcpflags,forward=1 +net eth0 tcpflags,forward=1,sourceroute=0 loc eth1 tcpflags,forward=1 dmz eth2 tcpflags,forward=1 diff --git a/Shorewall6/Samples6/two-interfaces/interfaces b/Shorewall6/Samples6/two-interfaces/interfaces index f3a75582c..c15c0a4ee 100644 --- a/Shorewall6/Samples6/two-interfaces/interfaces +++ b/Shorewall6/Samples6/two-interfaces/interfaces @@ -14,5 +14,5 @@ FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -net eth0 tcpflags,forward=1 +net eth0 tcpflags,forward=1,sourceroute=0 loc eth1 tcpflags,forward=1 From db6a7276ec6f40fb2479792aaa91dac111481d72 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Jun 2012 14:11:44 -0700 Subject: [PATCH 9/9] Don't optimize chains with commands Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index feb83f880..b9334228c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -707,7 +707,9 @@ sub macro_comment( $ ) { # Functions to manipulate cmdlevel # sub incr_cmd_level( $ ) { - $_[0]->{cmdlevel}++; + my $chain = $_[0]; + $chain->{cmdlevel}++; + $chain->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE ); } sub decr_cmd_level( $ ) { @@ -1021,6 +1023,7 @@ sub add_commands ( $$;@ ) { } for @_; $chainref->{referenced} = 1; + $chainref->{optflags} |= ( DONT_OPTIMIZE | DONT_MOVE ); } #