From 56649e218312a2b67b35a8158bca4c297a982e11 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 24 Sep 2014 19:24:13 -0700 Subject: [PATCH 1/2] Don't compile routestopped during check if there is stoppedrules. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 5330e45a9..1b25a6911 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -975,8 +975,7 @@ sub compiler { # compile_stop_firewall() also validates the routestopped file. Since we don't # call that function during normal 'check', we must validate routestopped here. # - process_routestopped; - process_stoppedrules; + process_routestopped unless process_stoppedrules; } # # Report used/required capabilities From ea40068c10cd033299e47e9941e880e7a15a591e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 25 Sep 2014 08:03:35 -0700 Subject: [PATCH 2/2] Fix ADMINISABSENTMINDED=No used with stoppedrules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 6 ++++- Shorewall/Perl/Shorewall/Misc.pm | 7 +++--- Shorewall/manpages/shorewall.conf.xml | 25 ++++++++++++--------- Shorewall6/manpages/shorewall6.conf.xml | 29 +++++++++++++++---------- 4 files changed, 40 insertions(+), 27 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 7ff95215e..0bf4370a7 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1654,6 +1654,10 @@ sub insert_rule($$$) { sub insert_irule( $$$$;@ ) { my ( $chainref, $jump, $target, $number, @matches ) = @_; + my $rulesref = $chainref->{rules}; + + return add_irule( $chainref, $jump, $target, @matches ) if $number >= @$rulesref; + my $ruleref = {}; $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE; @@ -1673,7 +1677,7 @@ sub insert_irule( $$$$;@ ) { $ruleref->{comment} = shortlineinfo( $chainref->{origin} ) || $ruleref->{comment} || $comment; - splice( @{$chainref->{rules}}, $number, 0, $ruleref ); + splice( @$rulesref, $number, 0, $ruleref ); trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 8f43fde7a..981e58a2b 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -690,11 +690,10 @@ sub process_stoppedrules() { my $result; if ( my $fn = open_file 'stoppedrules' , 1, 1 ) { - first_entry sub() { - progress_message2("$doing $fn..."); + first_entry sub () { + progress_message2( "$doing $fn..." ); unless ( $config{ADMINISABSENTMINDED} ) { - warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes"); - $config{ADMINISABSENTMINDED} = 'Yes'; + insert_ijump $filter_table ->{$_}, j => 'ACCEPT', 0, state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; } }; diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index da25ba216..891a11c6d 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -309,17 +309,22 @@ stoppedrules - If ADMINISABSENTMINDED=No, a warning message is issued - and the setting is ignored. - - In addition to connections matching entries in - stoppedrules, existing connections - continue to work and all new connections from the firewall - system itself are allowed. To sever all existing connections - when the firewall is stopped, install the conntrack utility - and place the command conntrack -F in the - stopped user exit + All existing connections continue to work. To sever all + existing connections when the firewall is stopped, install the + conntrack utility and place the command conntrack + -F in the stopped user exit (/etc/shorewall/stopped). + + If ADMINISABSENTMINDED=No, only new connections matching + entries in stoppedrules are accepted when + Shorewall is stopped. Response packets and related connections + are automatically accepted. + + If ADMINISABSENTMINDED=Yes, in addition to connections + matching entries in stoppedrules, all new + connections from the firewall system itself are allowed when + the firewall is stopped. Response packets and related + connections are automatically accepted. diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 56ee13591..6120de5c0 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -220,9 +220,9 @@ The value of this variable affects Shorewall's stopped state. The behavior differs depending on whether shorewall6-routestopped(5) + url="shorewall-routestopped.html">shorewall-routestopped(5) or shorewall6-stoppedrules(5) + url="shorewall-stoppedrules.html">shorewall-stoppedrules(5) is used: @@ -245,17 +245,22 @@ stoppedrules - If ADMINISABSENTMINDED=No, a warning message is issued - and the setting is ignored. - - In addition to connections matching entries in - stoppedrules, existing connections - continue to work and all new connections from the firewall - system itself are allowed. To sever all existing connections - when the firewall is stopped, install the conntrack utility - and place the command conntrack -F in the - stopped user exit + All existing connections continue to work. To sever all + existing connections when the firewall is stopped, install the + conntrack utility and place the command conntrack + -F in the stopped user exit (/etc/shorewall6/stopped). + + If ADMINISABSENTMINDED=No, only new connections matching + entries in stoppedrules are accepted when + Shorewall is stopped. Response packets and related connections + are automatically accepted. + + If ADMINISABSENTMINDED=Yes, in addition to connections + matching entries in stoppedrules, all new + connections from the firewall system itself are allowed when + the firewall is stopped. Response packets and related + connections are automatically accepted.