From aa126270b7e0cb4cbba191f9daa5524dc4ce7a89 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille Date: Sun, 21 Jun 2020 19:01:51 +0200 Subject: [PATCH 1/7] Avoid exporting targetfiles Signed-off-by: Matt Darfeuille Signed-off-by: Tom Eastep --- .gitattributes | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 000000000..212697850 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*targetname export-ignore From 631bec276211c885e4f477384cfea70f616018db Mon Sep 17 00:00:00 2001 From: Matt Darfeuille Date: Sun, 21 Jun 2020 19:09:57 +0200 Subject: [PATCH 2/7] List supported releases Signed-off-by: Matt Darfeuille Signed-off-by: Tom Eastep --- docs/support.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/support.xml b/docs/support.xml index 538030019..5c8f84f65 100644 --- a/docs/support.xml +++ b/docs/support.xml @@ -42,10 +42,10 @@ The currently-supported Shorewall major releases are 5.0 , 5.1 and 5.2. + url="ReleaseModel.html">major releases are , 5.1 and 5.2. - Shorewall versions earlier than 5.0.0 are no longer supported; + Shorewall versions earlier than 5.1.0 are no longer supported; we will try to help but we will not spend time reading earlier code to try to help you solve a problem and we will not release a patch to correct any defect found. From a39ecf5b2b3edbb803ee4ee5aa7a503709cfddc6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 21 Jun 2020 11:41:53 -0700 Subject: [PATCH 3/7] Add target file(s) 5.2.5.1 Signed-off-by: Tom Eastep --- docs/docs-targetname | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-targetname b/docs/docs-targetname index 06f1f7cb3..57029590c 100644 --- a/docs/docs-targetname +++ b/docs/docs-targetname @@ -1 +1 @@ -5.2.5-RC1 +5.2.5.1 From 5cc626fa1df866c1852ffc385e566648ed66c7fa Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 21 Jun 2020 11:42:30 -0700 Subject: [PATCH 4/7] Add target file(s) 5.2.5.1 Signed-off-by: Tom Eastep --- Shorewall/Shorewall-targetname | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Shorewall-targetname b/Shorewall/Shorewall-targetname index 23e55ae89..57029590c 100644 --- a/Shorewall/Shorewall-targetname +++ b/Shorewall/Shorewall-targetname @@ -1 +1 @@ -5.2.5-Beta2 +5.2.5.1 From c9512dfaf8cacfda7b4b4eee1c5f9d2020bf74cb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 25 Jun 2020 09:23:53 -0700 Subject: [PATCH 5/7] Make 'show actions' more robust - Show all lines, including continuation and compiler directives - Show both actions and actions.std entries - The actions file need not reside in /etc/shorewall[6] but may be in any directory on the CONFIG_PATH Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 348ea5879..ea8b52700 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -937,11 +937,28 @@ show_events() { fi } +sort_actions() { + local sep #separates sort keys from the action[.std] record + sep="##" + + awk -v sep="$sep" \ + 'BEGIN { action = ""; ifrec = ""; nr = 0; };\ + /^#/ { next; };\ + /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\ + /^( |\t|\?)/ { if ( action != "" ) print action, NR, sep $0; next; };\ + { action = $1; };\ + nr != 0 { print action , nr, sep ifrec; nr = 0; };\ + { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//" +} + show_actions() { - if [ -f ${g_confdir}/actions ]; then - cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$' + local actions + actions=$(find_file actions) + + if [ -f ${actions} ]; then + cat ${actions} ${g_sharedir}/actions.std | sort_actions else - grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std + sort_actions < ${g_sharedir}/actions.std fi } @@ -1108,10 +1125,6 @@ show_blacklists() { show_bl; } -show_actions_sorted() { - show_actions | sort -u -k 1,1 -} - show_macros() { for directory in $(split $CONFIG_PATH); do temp= @@ -1543,7 +1556,7 @@ show_command() { ;; actions) [ $# -gt 1 ] && too_many_arguments $2 - eval show_actions_sorted $g_pager + eval show_actions $g_pager return ;; macro) From 3f5bdfd705e7d8f5cf742a9e0413b9a4a712e3e6 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 25 Jun 2020 13:32:36 -0700 Subject: [PATCH 6/7] Process the firewall.conf file when running shorewall[6]-lite Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index ea8b52700..501019aa9 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -4025,7 +4025,7 @@ get_config() { ensure_config_path - [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf + [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin From 3ed1cdec948bd78e73abda61c93c2c62d19ed879 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 26 Jun 2020 14:44:00 -0700 Subject: [PATCH 7/7] Rename the snat PORT column to DPORT Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 4 +- Shorewall/Samples/three-interfaces/snat | 2 +- Shorewall/Samples/two-interfaces/snat | 2 +- Shorewall/configfiles/snat | 2 +- Shorewall/manpages/shorewall-snat.xml | 59 +++++++++++++------------ Shorewall6/configfiles/snat | 2 +- docs/configuration_file_basics.xml | 10 ++++- 7 files changed, 46 insertions(+), 35 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 7c9f68ea4..f1bdede00 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -5935,9 +5935,9 @@ sub process_snat( ) { my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = split_line2( 'snat file', - { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 }, + { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 }, {}, #Nopad - undef, #Columns + 11, #Columns 1 ); #Allow inline matches fatal_error 'ACTION must be specified' if $action eq '-'; diff --git a/Shorewall/Samples/three-interfaces/snat b/Shorewall/Samples/three-interfaces/snat index 25045a074..386aa6fc1 100644 --- a/Shorewall/Samples/three-interfaces/snat +++ b/Shorewall/Samples/three-interfaces/snat @@ -13,7 +13,7 @@ # # See https://shorewall.org/manpages/shorewall-snat.html for more information ########################################################################################################################################### -#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY # # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016 # diff --git a/Shorewall/Samples/two-interfaces/snat b/Shorewall/Samples/two-interfaces/snat index 916ef1ae6..48c659ea8 100644 --- a/Shorewall/Samples/two-interfaces/snat +++ b/Shorewall/Samples/two-interfaces/snat @@ -13,7 +13,7 @@ # # See https://shorewall.org/manpages/shorewall-snat.html for more information ########################################################################################################################################### -#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY # # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016 # diff --git a/Shorewall/configfiles/snat b/Shorewall/configfiles/snat index 336bbd73f..7ab873317 100644 --- a/Shorewall/configfiles/snat +++ b/Shorewall/configfiles/snat @@ -6,4 +6,4 @@ # See https://shorewall.org/manpages/shorewall-snat.html for more information # ########################################################################################################################################### -#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY diff --git a/Shorewall/manpages/shorewall-snat.xml b/Shorewall/manpages/shorewall-snat.xml index 67b3b9bf9..47fb78963 100644 --- a/Shorewall/manpages/shorewall-snat.xml +++ b/Shorewall/manpages/shorewall-snat.xml @@ -39,8 +39,8 @@ If you have more than one ISP link, adding entries to this file will not force connections to go out through a particular link. You must use entries in shorewall-rtrules(5) or - PREROUTING entries in shorewall-rtrules(5) or PREROUTING + entries in shorewall-mangle(5) to do that. @@ -68,10 +68,10 @@ where action is an action declared in shorewall-actions(5) - with the option. See https://shorewall.org/Actions.html for - further information. + url="shorewall-actions.html">shorewall-actions(5) with + the option. See https://shorewall.org/Actions.html + for further information. @@ -165,9 +165,9 @@ If you specify an address here, matching packets will have their source address set to that address. If ADD_SNAT_ALIASES is set to Yes or yes in shorewall.conf(5) - then Shorewall will automatically add this address to the - INTERFACE named in the first column (IPv4 only). + url="shorewall.conf.html">shorewall.conf(5) then + Shorewall will automatically add this address to the INTERFACE + named in the first column (IPv4 only). You may also specify a range of up to 256 IP addresses if you want the SNAT address to be assigned from that range in @@ -237,10 +237,10 @@ Normally Masq/SNAT rules are evaluated after those for one-to-one NAT (defined in shorewall-nat(5)). If you - want the rule to be applied before one-to-one NAT rules, follow the - action name with "+": This feature should only be required if you - need to insert rules in this file that preempt entries in shorewall-nat(5)). If you want the + rule to be applied before one-to-one NAT rules, follow the action + name with "+": This feature should only be required if you need to + insert rules in this file that preempt entries in shorewall-nat(5). @@ -279,23 +279,23 @@ networks. Multiple interfaces may be listed when the ACTION is MASQUERADE, but this is usually just your internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5), you - may add ":" and a digit to indicate that you - want the alias added with that name (e.g., eth0:0). This will allow - the alias to be displayed with ifconfig. That - is the only use for the alias name; it may not appear in any other - place in your Shorewall configuration. + url="shorewall.conf.html">shorewall.conf(5), you may add ":" + and a digit to indicate that you want the alias + added with that name (e.g., eth0:0). This will allow the alias to be + displayed with ifconfig. That is the only use + for the alias name; it may not appear in any other place in your + Shorewall configuration. Beginning with Shorewall 5.1.12, SNAT may be performed in the nat table's INPUT chain by specifying $FW rather than one or more - interfaces. + interfaces. Each interface must match an entry in shorewall-interfaces(5). Shorewall allows loose matches to wildcard entries in shorewall-interfaces(5). - For example, ppp0 in this - file will match a shorewall-interfaces(5). For + example, ppp0 in this file + will match a shorewall-interfaces(5) entry that defines ppp+. @@ -315,8 +315,8 @@ addresses to indicate that you only want to change the source IP address for packets being sent to those particular destinations. Exclusion is allowed (see shorewall-exclusion(5)) - as are ipset names preceded by a plus sign '+'; + url="shorewall-exclusion.html">shorewall-exclusion(5)) as + are ipset names preceded by a plus sign '+'; If you wish to inhibit the action of ADD_SNAT_ALIASES for this entry then include the ":" but omit the digit: @@ -341,8 +341,7 @@ If you wish to restrict this entry to a particular protocol then enter the protocol name (from protocols(5)) or number here. See - shorewall-rules(5) for + shorewall-rules(5) for details. Beginning with Shorewall 4.5.12, this column can accept a @@ -356,10 +355,14 @@ - PORT (Optional) - + {PORT|DPORT} (Optional) - {-|[!]port-name-or-number[,port-name-or-number]...|+ipset} + The column was renamed to DPORT in Shorewall 5.2.5.2. + Beginning with that release, both PORT and DPORT are accepted in the + alternative input format, + If the PROTO column specifies TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136) then you may list one or more port numbers (or names from services(5)) or port ranges separated by diff --git a/Shorewall6/configfiles/snat b/Shorewall6/configfiles/snat index 46943dcd2..6185e9c18 100644 --- a/Shorewall6/configfiles/snat +++ b/Shorewall6/configfiles/snat @@ -6,4 +6,4 @@ # See https://shorewall.org/manpages/shorewall-snat.html for more information # ########################################################################################################################################### -#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 7316b871a..28449f7ed 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -663,7 +663,7 @@ ACCEPT net:\ mangle - action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers + action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch @@ -738,6 +738,14 @@ ACCEPT net:\ secmark,chain,source,dest,proto,dport,sport,user,mark + + snat + + action,source,dest,proto,port,ipsec,mark,user,switch,origdest,probability + (Note: 'port' may be specified as 'dport' beginning with Shorewall + 5.2.5.2). + + tcclasses