holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Take advantage of --ctorigdstport

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8795 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-10-22 02:14:45 +00:00
parent dcb0861a45
commit b0e9a0ce22
10 changed files with 44 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/changelog.txt
View File

@ -12,4 +12,6 @@ Changes in Shorewall 4.2.1
6) Applied Lennart Sorensen's patch for length match.
7) Take advantage --ctorigdstport
Initial release of Shorewall 4.2.0.

4
Shorewall-common/lib.base
View File

@ -1104,7 +1104,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
if [ -n "$CONNTRACK_MATCH" ]; then
qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
fi
if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
@ -1211,7 +1211,7 @@ report_capabilities() {
report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "New Connection Tracking Match Syntax" $NEW_CONNTRACK_MATCH
report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH

12
Shorewall-common/releasenotes.txt
View File

@ -90,7 +90,7 @@ Problems corrected in Shorewall 4.2.1
3) iptables 1.4.1 discontinued support of syntax generated by
shorewall in some cases. Shorewall now detects when the new syntax
is accepted and uses it instead.
is required and uses it instead.
4) The Shorewall-perl implementation of the LENGTH column in
/etc/shorewall/tcrules was incomplete with the result that
@ -170,6 +170,16 @@ Other changes in Shorewall 4.2.1
Beginning November 1, 2008 at noon LCT.
3) If your kernel and iptables support "-m conntrack --ctorigdstport"
then Shorewall will utilize that capability to ensure that when you
do port mapping (change the destination port but not the
destination IP address), the final destination port is not open.
To use this feature, you must be running Shorewall-perl and the
output of 'shorewall show capabilities' must show:
Extended Connection Tracking Match Support: Available
New Features in Shorewall 4.2.
1) Shorewall 4.2 contains support for multiple Internet providers

3
Shorewall-perl/Shorewall/Accounting.pm
View File

@ -131,6 +131,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
$source ,
$dest = ALLIPv4 ,
'' ,
'' ,
$target ,
'' ,
$disposition ,
@ -151,6 +152,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
$source ,
$dest ,
'' ,
'' ,
$target ,
'' ,
$disposition ,
@ -167,6 +169,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
'' ,
'' ,
'' ,
'' ,
'' ;
}
}

1
Shorewall-perl/Shorewall/Actions.pm
View File

@ -568,6 +568,7 @@ sub process_action( $$$$$$$$$$ ) {
$source ,
$dest ,
'', #Original Dest
'', #Original Dest port
"-j $action" ,
$level ,
$action ,

15
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1859,7 +1859,7 @@ sub get_interface_mac( $$$ ) {
#
# Returns the destination interface specified in the rule, if any.
#
sub expand_rule( $$$$$$$$$$ )
sub expand_rule( $$$$$$$$$$$ )
{
my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST
@ -1867,6 +1867,7 @@ sub expand_rule( $$$$$$$$$$ )
$source, # SOURCE
$dest, # DEST
$origdest, # ORIGINAL DEST
$oport, # original destination port
$target, # Target ('-j' part of the rule)
$loglevel , # Log level (and tag)
$disposition, # Primative part of the target (RETURN, ACCEPT, ...)
@ -2043,6 +2044,9 @@ sub expand_rule( $$$$$$$$$$ )
if ( $origdest ) {
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
$origdest = '';
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) {
$rule .= "-m conntrack --ctorigdstport $oport ";
}
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
#
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@ -2063,6 +2067,7 @@ sub expand_rule( $$$$$$$$$$ )
push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
$rule .= '-m conntrack --ctorigdst $address ';
$rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} else {
my $interface = $interfaces[0];
my $variable = get_interface_address( $interface );
@ -2070,6 +2075,7 @@ sub expand_rule( $$$$$$$$$$ )
push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface );
$rule .= "-m conntrack --ctorigdst $variable ";
$rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
}
$origdest = '';
@ -2094,9 +2100,16 @@ sub expand_rule( $$$$$$$$$$ )
$oexcl = '';
}
}
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) {
$rule .= "-m conntrack --ctorigdstport $oport ";
}
}
} else {
$oexcl = '';
if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) {
$rule .= "-m conntrack --ctorigdstport $oport ";
}
}
#

4
Shorewall-perl/Shorewall/Config.pm
View File

@ -178,7 +178,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match',
NEW_CONNTRACK_MATCH =>
'New Connection Tracking Match syntax',
'Extended Connection Tracking Match',
USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match',
@ -1558,7 +1558,7 @@ sub determine_capabilities( $ ) {
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
if ( $capabilities{CONNTRACL_MATCH} ) {
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT" );
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
}
if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {

1
Shorewall-perl/Shorewall/Nat.pm
View File

@ -278,6 +278,7 @@ sub setup_one_masq($$$$$$$)
$networks ,
$destnets ,
'' ,
'' ,
$target ,
'' ,
'' ,

7
Shorewall-perl/Shorewall/Rules.pm
View File

@ -143,6 +143,7 @@ sub process_tos() {
$src ,
$dst ,
'' ,
'' ,
"-j TOS --set-tos $tos" ,
'' ,
'' ,
@ -316,6 +317,7 @@ sub setup_blacklist() {
$networks ,
'' ,
'' ,
'' ,
"-j $target" ,
'' ,
$disposition ,
@ -1024,6 +1026,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
my $destzone;
my $sourceref;
my $destref;
my $origdstports;
if ( $source =~ /^(.+?):(.*)/ ) {
fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
@ -1135,6 +1138,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
#
$server = $1; # May be empty
$serverport = $3; # Not Empty due to RE
$origdstports = $ports;
if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
#
# Server Port Range
@ -1227,6 +1231,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source ,
$origdest ,
'' ,
'' ,
$target ,
$loglevel ,
$action ,
@ -1264,6 +1269,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source ,
$dest ,
$origdest ,
'',
'-j RETURN ' ,
$loglevel ,
$action ,
@ -1292,6 +1298,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source ,
$dest ,
$origdest ,
$origdstports ,
"-j $action " ,
$loglevel ,
$action ,

1
Shorewall-perl/Shorewall/Tc.pm
View File

@ -294,6 +294,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
$source ,
$dest ,
'' ,
'' ,
"-j $target $mark" ,
'' ,
'' ,