Port update changes from 5.0.0

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-12 12:33:09 -07:00
parent 3b59e46799
commit af2b7910bd
8 changed files with 300 additions and 33 deletions

View File

@ -3974,7 +3974,7 @@ usage() # $1 = exit status
echo " status [ -i ]" echo " status [ -i ]"
echo " stop" echo " stop"
ecko " try <directory> [ <timeout> ]" ecko " try <directory> [ <timeout> ]"
ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-A] [ <directory> ]" ecko " update [ -a ] [ -b ] [ -r ] [ -T ] [ -D ] [ -i ] [-t] [-s] [-n] [-A] [ <directory> ]"
echo " version [ -a ]" echo " version [ -a ]"
echo echo
exit $1 exit $1
@ -4027,6 +4027,8 @@ shorewall_cli() {
g_counters= g_counters=
g_loopback= g_loopback=
g_compiled= g_compiled=
g_routestopped=
g_notrack=
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1

View File

@ -592,8 +592,8 @@ EOF
# #
sub compiler { sub compiler {
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules ) = my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc , $shorewallrc1 , $directives, $inline, $tcrules, $routestopped , $notrack ) =
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 ); ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 , '' , '/usr/share/shorewall/shorewallrc', '' , 0 , 0 , 0 , 0 , 0 );
$export = 0; $export = 0;
$test = 0; $test = 0;
@ -634,6 +634,8 @@ sub compiler {
inline => { store => \$inline, validate=> \&validate_boolean } , inline => { store => \$inline, validate=> \&validate_boolean } ,
directives => { store => \$directives, validate=> \&validate_boolean } , directives => { store => \$directives, validate=> \&validate_boolean } ,
tcrules => { store => \$tcrules, validate=> \&validate_boolean } , tcrules => { store => \$tcrules, validate=> \&validate_boolean } ,
routestopped => { store => \$routestopped, validate=> \&validate_boolean } ,
notrack => { store => \$notrack, validate=> \&validate_boolean } ,
config_path => { store => \$config_path } , config_path => { store => \$config_path } ,
shorewallrc => { store => \$shorewallrc } , shorewallrc => { store => \$shorewallrc } ,
shorewallrc1 => { store => \$shorewallrc1 } , shorewallrc1 => { store => \$shorewallrc1 } ,
@ -737,7 +739,7 @@ sub compiler {
# #
# Do all of the zone-independent stuff (mostly /proc) # Do all of the zone-independent stuff (mostly /proc)
# #
add_common_rules( $convert, $tcrules ); add_common_rules( $convert, $tcrules , $routestopped );
# #
# More /proc # More /proc
# #
@ -844,7 +846,7 @@ sub compiler {
# #
# Process the conntrack file # Process the conntrack file
# #
setup_conntrack; setup_conntrack( $notrack );
# #
# Add Tunnel rules. # Add Tunnel rules.
# #
@ -911,7 +913,7 @@ sub compiler {
# S T O P _ F I R E W A L L # S T O P _ F I R E W A L L
# (Writes the stop_firewall() function to the compiled script) # (Writes the stop_firewall() function to the compiled script)
# #
compile_stop_firewall( $test, $export , $have_arptables ); compile_stop_firewall( $test, $export , $have_arptables, $routestopped );
# #
# U P D O W N # U P D O W N
# (Writes the updown() function to the compiled script) # (Writes the updown() function to the compiled script)
@ -976,14 +978,15 @@ sub compiler {
initialize_chain_table(0); initialize_chain_table(0);
if ( $debug ) { if ( $debug ) {
compile_stop_firewall( $test, $export, $have_arptables ); compile_stop_firewall( $test, $export, $have_arptables, $routestopped );
disable_script; disable_script;
} else { } else {
# #
# compile_stop_firewall() also validates the routestopped file. Since we don't # compile_stop_firewall() also validates the stoppedrules file. Since we don't
# call that function during normal 'check', we must validate routestopped here. # call that function during normal 'check', we must validate stoppedrules here.
# #
process_routestopped unless process_stoppedrules; convert_routestopped if $routestopped;
process_stoppedrules;
} }
# #
# Report used/required capabilities # Report used/required capabilities

View File

@ -4837,7 +4837,8 @@ sub update_config_file( $$ ) {
# #
$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf"; $fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
} }
if ( -f $fn ) {
if ( -f $fn ) {
my ( $template, $output ); my ( $template, $output );
open $template, '<' , $fn or fatal_error "Unable to open $fn: $!"; open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@ -4925,8 +4926,10 @@ EOF
} }
exit 0 unless ( $directives || exit 0 unless ( $directives ||
-f find_file 'blacklist' || -f find_file 'blacklist' ||
-f find_file 'tcrules' ); -f find_file 'tcrules' ||
-f find_file 'routestopped'
);
} }
} else { } else {
fatal_error "$fn does not exist"; fatal_error "$fn does not exist";

View File

@ -44,6 +44,7 @@ our @EXPORT = qw( process_tos
setup_mac_lists setup_mac_lists
process_routestopped process_routestopped
process_stoppedrules process_stoppedrules
convert_routestopped
compile_stop_firewall compile_stop_firewall
generate_matrix generate_matrix
); );
@ -360,14 +361,16 @@ sub remove_blacklist( $ ) {
while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) { while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
my ( $rule, $comment ) = split '#', $currentline, 2; my ( $rule, $comment ) = split '#', $currentline, 2;
if ( $rule =~ /blacklist/ ) { if ( $rule && $rule =~ /blacklist/ ) {
$changed = 1; $changed = 1;
if ( $comment ) { if ( $comment ) {
$comment =~ s/^/ / while $rule =~ s/blacklist,//; $comment =~ s/^/ / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
$rule =~ s/blacklist/ /g; $rule =~ s/blacklist/ /g;
$currentline = join( '#', $rule, $comment ); $currentline = join( '#', $rule, $comment );
} else { } else {
$currentline =~ s/blacklist,//g;
$currentline =~ s/,blacklist//g;
$currentline =~ s/blacklist/ /g; $currentline =~ s/blacklist/ /g;
} }
} }
@ -385,7 +388,7 @@ sub remove_blacklist( $ ) {
} }
# #
# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist # Convert a pre-4.4.25 blacklist to a 4.4.25 blrules file
# #
sub convert_blacklist() { sub convert_blacklist() {
my $zones = find_zones_by_option 'blacklist', 'in'; my $zones = find_zones_by_option 'blacklist', 'in';
@ -403,7 +406,19 @@ sub convert_blacklist() {
$target = verify_audit( $disposition ); $target = verify_audit( $disposition );
} }
my $fn = open_file 'blacklist'; my $fn = open_file( 'blacklist' );
unless ( $fn ) {
if ( -f ( $fn = find_file( 'blacklist' ) ) ) {
if ( unlink( $fn ) ) {
warning_message "Empty blacklist file ($fn) removed";
} else {
warning_message "Unable to remove empty blacklist file $fn: $!";
}
}
return 0;
}
first_entry "Converting $fn..."; first_entry "Converting $fn...";
@ -682,6 +697,153 @@ sub process_routestopped() {
} }
} }
sub convert_routestopped() {
if ( my $fn = open_file 'routestopped' ) {
my ( @allhosts, %source, %dest , %notrack, @rule );
my $seq = 0;
my ( $stoppedrules, $fn1 );
if ( -f ( $fn1 = find_file( 'stoppedrules' ) ) ) {
open $stoppedrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
} else {
open $stoppedrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
print $stoppedrules <<'EOF';
#
# Shorewall version 4 - Stopped Rules File
#
# For information about entries in this file, type "man shorewall-stoppedrules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
#
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
EOF
}
first_entry "$doing $fn...";
while ( read_a_line ( NORMAL_READ ) ) {
my ($interface, $hosts, $options , $proto, $ports, $sports ) =
split_line( 'routestopped file',
{ interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 } );
my $interfaceref;
fatal_error 'INTERFACE must be specified' if $interface eq '-';
fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
$hosts = ALLIP unless $hosts && $hosts ne '-';
my $routeback = 0;
my @hosts;
$seq++;
my $rule = "$proto\t$ports\t$sports";
$hosts = ALLIP if $hosts eq '-';
for my $host ( split /,/, $hosts ) {
fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
validate_host $host, 1;
push @hosts, "$interface|$host|$seq";
push @rule, $rule;
}
unless ( $options eq '-' ) {
for my $option (split /,/, $options ) {
if ( $option eq 'routeback' ) {
if ( $routeback ) {
warning_message "Duplicate 'routeback' option ignored";
} else {
$routeback = 1;
}
} elsif ( $option eq 'source' ) {
for my $host ( split /,/, $hosts ) {
$source{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'dest' ) {
for my $host ( split /,/, $hosts ) {
$dest{"$interface|$host|$seq"} = 1;
}
} elsif ( $option eq 'notrack' ) {
for my $host ( split /,/, $hosts ) {
$notrack{"$interface|$host|$seq"} = 1;
}
} else {
warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
warning_message "The 'critical' option is no longer supported (or needed)";
}
}
}
if ( $routeback || $interfaceref->{options}{routeback} ) {
my $chainref = $filter_table->{FORWARD};
for my $host ( split /,/, $hosts ) {
print $stoppedrules "ACCEPT\t$interface:$host\t$interface:$host\n";
}
}
push @allhosts, @hosts;
}
for my $host ( @allhosts ) {
my ( $interface, $h, $seq ) = split /\|/, $host;
my $rule = shift @rule;
print $stoppedrules "ACCEPT\t$interface:$h\t\$FW\t$rule\n";
print $stoppedrules "ACCEPT\t\$FW\t$interface:$h\t$rule\n" unless $config{ADMINISABSENTMINDED};
my $matched = 0;
if ( $source{$host} ) {
print $stoppedrules "ACCEPT\t$interface:$h\t-\t$rule\n";
$matched = 1;
}
if ( $dest{$host} ) {
print $stoppedrules "ACCEPT\t-\t$interface:$h\t$rule\n";
$matched = 1;
}
if ( $notrack{$host} ) {
print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
}
unless ( $matched ) {
for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) {
my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
print $stoppedrules "ACCEPT\t$interface:$h\t$interface1:$h1\t$rule\n";
}
}
}
}
rename $fn, "$fn.bak";
progress_message2 "Routestopped file $fn saved in $fn.bak";
close $stoppedrules;
} elsif ( -f ( my $fn1 = find_file( 'routestopped' ) ) ) {
if ( unlink( $fn1 ) ) {
warning_message "Empty routestopped file ($fn1) removed";
} else {
warning_message "Unable to remove empty routestopped file $fn1: $!";
}
}
}
# #
# Process the stoppedrules file. Returns true if the file was non-empty. # Process the stoppedrules file. Returns true if the file was non-empty.
# #
@ -774,8 +936,8 @@ sub process_stoppedrules() {
sub setup_mss(); sub setup_mss();
sub add_common_rules ( $$ ) { sub add_common_rules ( $$$ ) {
my ( $upgrade_blacklist, $upgrade_tcrules ) = @_; my ( $upgrade_blacklist, $upgrade_tcrules , $upgrade_routestopped ) = @_;
my $interface; my $interface;
my $chainref; my $chainref;
my $target; my $target;
@ -946,7 +1108,7 @@ sub add_common_rules ( $$ ) {
run_user_exit1 'initdone'; run_user_exit1 'initdone';
if ( $upgrade_blacklist ) { if ( $upgrade_blacklist ) {
exit 0 unless convert_blacklist || $upgrade_tcrules; exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
} else { } else {
setup_blacklist; setup_blacklist;
} }
@ -1826,7 +1988,7 @@ sub add_output_jumps( $$$$$$$ ) {
our @vservers; our @vservers;
our %output_jump_added; our %output_jump_added;
my $chain1 = rules_target firewall_zone , $zone; my $chain1 = rules_target( firewall_zone , $zone );
my $chain1ref = $filter_table->{$chain1}; my $chain1ref = $filter_table->{$chain1};
my $nextchain = dest_exclusion( $exclusions, $chain1 ); my $nextchain = dest_exclusion( $exclusions, $chain1 );
my $outputref; my $outputref;
@ -2408,8 +2570,8 @@ sub setup_mss( ) {
# #
# Compile the stop_firewall() function # Compile the stop_firewall() function
# #
sub compile_stop_firewall( $$$ ) { sub compile_stop_firewall( $$$$ ) {
my ( $test, $export, $have_arptables ) = @_; my ( $test, $export, $have_arptables, $routestopped ) = @_;
my $input = $filter_table->{INPUT}; my $input = $filter_table->{INPUT};
my $output = $filter_table->{OUTPUT}; my $output = $filter_table->{OUTPUT};
@ -2598,7 +2760,12 @@ EOF
} }
} }
process_routestopped unless process_stoppedrules; if ( $routestopped ) {
convert_routestopped;
process_stoppedrules;
} else {
process_routestopped unless process_stoppedrules;
}
if ( have_capability 'IFACE_MATCH' ) { if ( have_capability 'IFACE_MATCH' ) {
add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback'; add_ijump $input, j => 'ACCEPT', iface => '--dev-in --loopback';

View File

@ -275,11 +275,14 @@ sub process_format( $ ) {
$file_format = $format; $file_format = $format;
} }
sub setup_conntrack() { sub setup_conntrack($) {
my $convert = shift;
my $fn;
my @files = $convert ? ( qw/notrack conntrack/ ) : ( 'conntrack' );
for my $name ( qw/notrack conntrack/ ) { for my $name ( @files ) {
my $fn = open_file( $name, 3 , 1 ); $fn = open_file( $name, 3 , 1 );
if ( $fn ) { if ( $fn ) {
@ -341,12 +344,70 @@ sub setup_conntrack() {
} else { } else {
warning_message "Unable to remove empty notrack file ($fn): $!"; warning_message "Unable to remove empty notrack file ($fn): $!";
} }
$convert = undef;
}
}
} elsif ( $name eq 'notrack' ) {
$convert = undef;
if ( -f ( my $fn1 = find_file( $name ) ) ) {
if ( unlink( $fn1 ) ) {
warning_message "Empty notrack file ($fn1) removed";
} else { } else {
warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file"; warning_message "Unable to remove empty notrack file ($fn1): $!";
} }
} }
} }
} }
if ( $convert ) {
my $conntrack;
my $empty = 1;
if ( $fn ) {
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
} else {
open $conntrack, '>', $fn = find_file 'conntrack' or fatal_error "Unable to open $fn for notrack conversion: $!";
print $conntrack <<'EOF';
#
# Shorewall version 5 - conntrack File
#
# For information about entries in this file, type "man shorewall-conntrack"
#
##############################################################################################################
EOF
print $conntrack '?' . "FORMAT 3\n";
print $conntrack <<'EOF';
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP
EOF
}
$fn = open_file( 'notrack' , 3, 1 ) || fatal_error "Unable to open the notrack file for conversion: $!";
while ( read_a_line( PLAIN_READ ) ) {
#
# Don't copy the header comments from the old notrack file
#
next if $empty && ( $currentline =~ /^\s*#/ || $currentline =~ /^\s*$/ );
if ( $empty ) {
#
# First non-commentary line
#
$empty = undef;
print $conntrack '?' . "FORMAT 1\n" unless $currentline =~ /^\s*\??FORMAT/i;
}
print $conntrack "$currentline\n";
}
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
progress_message2 "notrack file $fn saved in $fn.bak"
}
} }
1; 1;

View File

@ -27,7 +27,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>. # along with this program; if not, see <http://www.gnu.org/licenses/>.
# #
# This module deals with Traffic Shaping and the tcrules file. # This module deals with Traffic Shaping and the mangle file.
# #
package Shorewall::Tc; package Shorewall::Tc;
require Exporter; require Exporter;
@ -3162,7 +3162,7 @@ sub process_secmark_rule() {
} }
# #
# Process the tcrules file and setup traffic shaping # Process the mangle file and setup traffic shaping
# #
sub setup_tc( $ ) { sub setup_tc( $ ) {
$tcrules = $_[0]; $tcrules = $_[0];
@ -3243,11 +3243,22 @@ sub setup_tc( $ ) {
fatal_error "Cannot Rename $fn to $fn.bak: $!"; fatal_error "Cannot Rename $fn to $fn.bak: $!";
} }
} else { } else {
warning_message "Non-empty tcrules file ($fn); consider running '$product update -t'"; if ( unlink $fn ) {
warning_message "Empty tcrules file ($fn) removed";
} else {
warning_message "Unable to remove empty tcrules file $fn: $!";
}
}
close $mangle, directive_callback( 0 ) if $tcrules;
} elsif ( $tcrules && -f ( my $fn = find_file( 'tcrules' ) ) ) {
if ( unlink $fn ) {
warning_message "Empty tcrules file ($fn) removed";
} else {
warning_message "Unable to remove empty tcrules file $fn: $!";
} }
} }
close $mangle, directive_callback( 0 ) if $tcrules;
} }
if ( my $fn = open_file( 'mangle', 1, 1 ) ) { if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

View File

@ -42,6 +42,8 @@
# --config_path=<path-list> # Search path for config files # --config_path=<path-list> # Search path for config files
# --inline # Update alternative column specifications # --inline # Update alternative column specifications
# --tcrules # Create mangle from tcrules # --tcrules # Create mangle from tcrules
# --routestopped # Create stoppedrules from routestopped
# --notrack # Create conntrack from notrack
# #
use strict; use strict;
use FindBin; use FindBin;
@ -77,6 +79,8 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
[ --config_path=<path-list> ] [ --config_path=<path-list> ]
[ --inline ] [ --inline ]
[ --tcrules ] [ --tcrules ]
[ --routestopped ]
[ --notrack ]
_EOF_ _EOF_
exit shift @_; exit shift @_;
@ -107,6 +111,8 @@ my $shorewallrc = '';
my $shorewallrc1 = ''; my $shorewallrc1 = '';
my $inline = 0; my $inline = 0;
my $tcrules = 0; my $tcrules = 0;
my $routestopped = 0;
my $notrack = 0;
Getopt::Long::Configure ('bundling'); Getopt::Long::Configure ('bundling');
@ -141,6 +147,8 @@ my $result = GetOptions('h' => \$help,
'convert' => \$convert, 'convert' => \$convert,
'inline' => \$inline, 'inline' => \$inline,
'tcrules' => \$tcrules, 'tcrules' => \$tcrules,
'routestopped' => \$routestopped,
'notrack' => \$notrack,
'config_path=s' => \$config_path, 'config_path=s' => \$config_path,
'shorewallrc=s' => \$shorewallrc, 'shorewallrc=s' => \$shorewallrc,
'shorewallrc1=s' => \$shorewallrc1, 'shorewallrc1=s' => \$shorewallrc1,

View File

@ -453,6 +453,8 @@ compiler() {
[ -n "$g_directives" ] && options="$options --directives" [ -n "$g_directives" ] && options="$options --directives"
[ -n "$g_tcrules" ] && options="$options --tcrules" [ -n "$g_tcrules" ] && options="$options --tcrules"
[ -n "$g_inline" ] && options="$options --inline" [ -n "$g_inline" ] && options="$options --inline"
[ -n "$g_routestopped" ] && options="$options --routestopped"
[ -n "$g_notrack" ] && options="$options --notrack"
if [ -n "$PERL" ]; then if [ -n "$PERL" ]; then
if [ ! -x "$PERL" ]; then if [ ! -x "$PERL" ]; then
@ -884,11 +886,21 @@ update_command() {
g_tcrules=Yes g_tcrules=Yes
option=${option#t} option=${option#t}
;; ;;
s*)
g_routestopped=Yes
option=${option#s}
;;
n*)
g_notrack=Yes
option=${option#n}
;;
A*) A*)
g_inline=Yes g_inline=Yes
g_convert=Yes g_convert=Yes
g_directives=Yes g_directives=Yes
g_tcrules=Yes g_tcrules=Yes
g_routestopped=Yes
g_notrack=Yes
option=${option#A} option=${option#A}
;; ;;
*) *)