From c4bbb46e3f113fe1b10fdfce544ac6705fb23b14 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 26 Dec 2016 14:20:08 -0800 Subject: [PATCH] Eliminate rawpost table support Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 24 +---- Shorewall-core/manpages/shorewall.xml | 6 +- Shorewall/Perl/Shorewall/Chains.pm | 24 +---- Shorewall/Perl/Shorewall/Config.pm | 8 -- Shorewall/Perl/Shorewall/Misc.pm | 6 -- Shorewall/Perl/Shorewall/Nat.pm | 103 ++++++---------------- Shorewall/Perl/lib.runtime | 10 --- Shorewall/manpages/shorewall-netmap.xml | 36 ++------ Shorewall6/manpages/shorewall6-netmap.xml | 30 ++----- 9 files changed, 50 insertions(+), 197 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 6b14c6775..8ad0c07ab 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1007,13 +1007,6 @@ show_raw() { $g_tool -t raw -L $g_ipt_options | $output_filter } -show_rawpost() { - echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)" - echo - show_reset - $g_tool -t rawpost -L $g_ipt_options | $output_filter -} - show_mangle() { echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" echo @@ -1264,7 +1257,7 @@ show_command() { [ $# -eq 1 ] && missing_option_value -t case $2 in - mangle|nat|filter|raw|rawpost) + mangle|nat|filter|raw) table=$2 table_given=Yes ;; @@ -1318,10 +1311,6 @@ show_command() { [ $# -gt 1 ] && too_many_arguments $2 eval show_raw $g_pager ;; - rawpost) - [ $# -gt 1 ] && too_many_arguments $2 - eval show_rawpost $g_pager - ;; tos|mangle) [ $# -gt 1 ] && too_many_arguments $2 eval show_mangle $g_pager @@ -1710,11 +1699,6 @@ do_dump_command() { $g_tool -t raw -L $g_ipt_options fi - if qt $g_tool -t rawpost -L -n; then - heading "Rawpost Table" - $g_tool -t rawpost -L $g_ipt_options - fi - local count local max @@ -2765,7 +2749,6 @@ determine_capabilities() { CONNMARK_MATCH= XCONNMARK_MATCH= RAW_TABLE= - RAWPOST_TABLE= IPP2P_MATCH= OLD_IPP2P_MATCH= LENGTH_MATCH= @@ -3017,7 +3000,6 @@ determine_capabilities() { fi qt $g_tool -t raw -L -n && RAW_TABLE=Yes - qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes if [ -n "$RAW_TABLE" ]; then qt $g_tool -t raw -F $chain @@ -3243,7 +3225,6 @@ report_capabilities_unsorted() { report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE - report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET @@ -3372,7 +3353,6 @@ report_capabilities_unsorted1() { report_capability1 CONNMARK_MATCH report_capability1 XCONNMARK_MATCH report_capability1 RAW_TABLE - report_capability1 RAWPOST_TABLE report_capability1 IPP2P_MATCH report_capability1 OLD_IPP2P_MATCH report_capability1 CLASSIFY_TARGET @@ -4323,7 +4303,7 @@ usage() # $1 = exit status echo " [ show | list | ls ] ipsec" echo " [ show | list | ls ] [ -m ] log []" - echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost" + echo " [ show | list | ls ] [ -x ] mangle|nat|raw" ecko " [ show | list | ls ] macro " ecko " [ show | list | ls ] macros" echo " [ show | list | ls ] nfacct" diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml index 5dad5d6e2..77a7c35b2 100644 --- a/Shorewall-core/manpages/shorewall.xml +++ b/Shorewall-core/manpages/shorewall.xml @@ -665,7 +665,7 @@ - {|||} + {|||} chain @@ -749,7 +749,7 @@ - + @@ -2395,7 +2395,7 @@ [-] [-] [-] [- - {||||}] + {|||}] [ chain... ] diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2b5b7c207..08b0291d5 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -120,7 +120,6 @@ our @EXPORT = ( qw( %chain_table %targets $raw_table - $rawpost_table $nat_table $mangle_table $filter_table @@ -197,7 +196,6 @@ our %EXPORT_TAGS = ( ensure_mangle_chain ensure_nat_chain ensure_raw_chain - ensure_rawpost_chain new_standard_chain new_action_chain new_builtin_chain @@ -418,7 +416,6 @@ our $VERSION = 'MODULEVERSION'; # our %chain_table; our $raw_table; -our $rawpost_table; our $nat_table; our $mangle_table; our $filter_table; @@ -759,13 +756,11 @@ sub initialize( $$$ ) { ( $family, my $hard, $export ) = @_; %chain_table = ( raw => {}, - rawpost => {}, mangle => {}, nat => {}, filter => {} ); $raw_table = $chain_table{raw}; - $rawpost_table = $chain_table{rawpost}; $nat_table = $chain_table{nat}; $mangle_table = $chain_table{mangle}; $filter_table = $chain_table{filter}; @@ -2764,14 +2759,6 @@ sub ensure_raw_chain($) { $chainref; } -sub ensure_rawpost_chain($) { - my $chain = $_[0]; - - my $chainref = ensure_chain 'rawpost', $chain; - $chainref->{referenced} = 1; - $chainref; -} - # # Add a builtin chain # @@ -2970,8 +2957,6 @@ sub initialize_chain_table($) { new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0; } - new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT'; - for my $chain ( qw(INPUT OUTPUT FORWARD) ) { new_builtin_chain 'filter', $chain, 'DROP'; } @@ -3034,8 +3019,6 @@ sub initialize_chain_table($) { new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0; } - new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT'; - for my $chain ( qw(INPUT OUTPUT FORWARD) ) { new_builtin_chain 'filter', $chain, 'DROP'; } @@ -3339,7 +3322,7 @@ sub check_optimization( $ ) { # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set. # sub optimize_level0() { - for my $table ( qw/raw rawpost mangle nat filter/ ) { + for my $table ( qw/raw mangle nat filter/ ) { my $tableref = $chain_table{$table}; next unless $tableref; @@ -4258,7 +4241,6 @@ sub valid_tables() { my @table_list; push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); - push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' ); push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; push @table_list, 'filter'; #MUST BE LAST!!! @@ -8939,7 +8921,7 @@ sub create_chainlist_reload($) { for my $chain ( @chains ) { ( $table , $chain ) = split ':', $chain if $chain =~ /:/; - fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/; + fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/; $chains{$table} = {} unless $chains{$table}; @@ -8968,7 +8950,7 @@ sub create_chainlist_reload($) { enter_cat_mode; - for $table ( qw(raw rawpost nat mangle filter) ) { + for $table ( qw(raw nat mangle filter) ) { my $tableref=$chains{$table}; next unless $tableref; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 2202f384e..bf4aa37ac 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -389,7 +389,6 @@ our %capdesc = ( NAT_ENABLED => 'NAT', HEADER_MATCH => 'Header Match', ACCOUNT_TARGET => 'ACCOUNT Target', AUDIT_TARGET => 'AUDIT Target', - RAWPOST_TABLE => 'Rawpost Table', CONDITION_MATCH => 'Condition Match', IPTABLES_S => 'iptables -S', BASIC_FILTER => 'Basic Filter', @@ -980,7 +979,6 @@ sub initialize( $;$$) { CONNMARK_MATCH => undef, XCONNMARK_MATCH => undef, RAW_TABLE => undef, - RAWPOST_TABLE => undef, IPP2P_MATCH => undef, OLD_IPP2P_MATCH => undef, CLASSIFY_TARGET => undef, @@ -4516,10 +4514,6 @@ sub Raw_Table() { qt1( "$iptables $iptablesw -t raw -L -n" ); } -sub Rawpost_Table() { - qt1( "$iptables $iptablesw -t rawpost -L -n" ); -} - sub Old_IPSet_Match() { my $ipset = $config{IPSET} || 'ipset'; my $result = 0; @@ -4926,7 +4920,6 @@ our %detect_capability = POLICY_MATCH => \&Policy_Match, PPTP_HELPER => \&PPTP_Helper, RAW_TABLE => \&Raw_Table, - RAWPOST_TABLE => \&Rawpost_Table, REALM_MATCH => \&Realm_Match, REAP_OPTION => \&Reap_Option, RECENT_MATCH => \&Recent_Match, @@ -5054,7 +5047,6 @@ sub determine_capabilities() { $capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' ); $capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' ); $capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' ); - $capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' ); $capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' ); $capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' ); $capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' ); diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index d55c86d36..ccf836408 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1679,12 +1679,6 @@ sub add_interface_jumps { addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface ); - if ( have_capability 'RAWPOST_TABLE' ) { - insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface}; - insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface}; - insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface}; - } - add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy ); } # diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 3685e7358..e015335ff 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -790,88 +790,39 @@ sub setup_netmap() { my @rule = do_iproto( $proto, $dport, $sport ); - unless ( $type =~ /:/ ) { - my @rulein; - my @ruleout; + my @rulein; + my @ruleout; - $net1 = validate_net $net1, 0; - $net2 = validate_net $net2, 0; + $net1 = validate_net $net1, 0; + $net2 = validate_net $net2, 0; - if ( $interfaceref->{root} ) { - $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical}; - } else { - @rulein = imatch_source_dev( $interface ); - @ruleout = imatch_dest_dev( $interface ); - $interface = $interfaceref->{name}; - } + if ( $interfaceref->{root} ) { + $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical}; + } else { + @rulein = imatch_source_dev( $interface ); + @ruleout = imatch_dest_dev( $interface ); + $interface = $interfaceref->{name}; + } - require_capability 'NAT_ENABLED', 'Stateful NAT Entries', ''; + require_capability 'NAT_ENABLED', 'Stateful NAT Entries', ''; - if ( $type eq 'DNAT' ) { - dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) , - j => 'NETMAP' , - "--to $net2", - $net1 , - @rulein , - imatch_source_net( $net3 ) ); - } elsif ( $type eq 'SNAT' ) { - source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) , - j => 'NETMAP' , - "--to $net2" , - $net1 , - @ruleout , - imatch_dest_net( $net3 ) ); - } else { - fatal_error "Invalid type ($type)"; - } - } elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) { - my ( $target , $chain ) = ( $1, $2 ); - my $table = 'raw'; - my @match; - - require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', ''; - - $net2 = validate_net $net2, 0; - - unless ( $interfaceref->{root} ) { - @match = imatch_dest_dev( $interface ); - $interface = $interfaceref->{name}; - } - - if ( $chain eq 'P' ) { - $chain = prerouting_chain $interface; - @match = imatch_source_dev( $iface ) unless $iface eq $interface; - } elsif ( $chain eq 'O' ) { - $chain = output_chain $interface; - } else { - $chain = postrouting_chain $interface; - $table = 'rawpost'; - } - - my $chainref = ensure_chain( $table, $chain ); - - - if ( $target eq 'DNAT' ) { - dest_iexclusion( $chainref , - j => 'RAWDNAT' , - "--to-dest $net2" , - $net1 , - imatch_source_net( $net3 ) , - @rule , - @match - ); - } else { - source_iexclusion( $chainref , - j => 'RAWSNAT' , - "--to-source $net2" , - $net1 , - imatch_dest_net( $net3 ) , - @rule , - @match ); - } + if ( $type eq 'DNAT' ) { + dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) , + j => 'NETMAP' , + "--to $net2", + $net1 , + @rulein , + imatch_source_net( $net3 ) ); + } elsif ( $type eq 'SNAT' ) { + source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) , + j => 'NETMAP' , + "--to $net2" , + $net1 , + @ruleout , + imatch_dest_net( $net3 ) ); } else { fatal_error 'TYPE must be specified' if $type eq '-'; - fatal_error "Invalid TYPE ($type)"; + fatal_error "Invalid type ($type)"; } progress_message " Network $net1 on $iface mapped to $net2 ($type)"; diff --git a/Shorewall/Perl/lib.runtime b/Shorewall/Perl/lib.runtime index 8b3acdd9f..2aa0e1cdc 100644 --- a/Shorewall/Perl/lib.runtime +++ b/Shorewall/Perl/lib.runtime @@ -526,13 +526,6 @@ debug_restore_input() { qt1 $g_tool -t raw -P $chain ACCEPT done - qt1 $g_tool -t rawpost -F - qt1 $g_tool -t rawpost -X - - for chain in POSTROUTING; do - qt1 $g_tool -t rawpost -P $chain ACCEPT - done - qt1 $g_tool -t nat -F qt1 $g_tool -t nat -X @@ -582,9 +575,6 @@ debug_restore_input() { '*'raw) table=raw ;; - '*'rawpost) - table=rawpost - ;; '*'mangle) table=mangle ;; diff --git a/Shorewall/manpages/shorewall-netmap.xml b/Shorewall/manpages/shorewall-netmap.xml index 5c461928f..56b714ae7 100644 --- a/Shorewall/manpages/shorewall-netmap.xml +++ b/Shorewall/manpages/shorewall-netmap.xml @@ -41,38 +41,18 @@ TYPE - {DNAT|SNAT}[:{P|O|T}] + role="bold">SNAT} - Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be - optionally followed by :P, :O or :T to perform stateless - NAT. Stateless NAT requires Rawpost Table - support in your kernel and iptables (see the output of - shorewall show capabilities). + Must be DNAT or SNAT - If DNAT or DNAT:P, traffic entering INTERFACE and addressed to - NET1 has its destination address rewritten to the corresponding - address in NET2. + If DNAT, traffic entering INTERFACE and addressed to NET1 has + its destination address rewritten to the corresponding address in + NET2. - If SNAT or SNAT:T, traffic leaving INTERFACE with a source - address in NET1 has it's source address rewritten to the - corresponding address in NET2. - - If DNAT:O, traffic originating on the firewall and leaving via - INTERFACE and addressed to NET1 has its destination address - rewritten to the corresponding address in NET2. - - If DNAT:P, traffic entering via INTERFACE and addressed to - NET1 has its destination address rewritten to the corresponding - address in NET2. - - If SNAT:P, traffic entering via INTERFACE with a destination - address in NET1 has it's source address rewritten to the - corresponding address in NET2. - - If SNAT:O, traffic originating on the firewall and leaving via - INTERFACE with a source address in NET1 has it's source address - rewritten to the corresponding address in NET2. + If SNAT, traffic leaving INTERFACE with a source address in + NET1 has it's source address rewritten to the corresponding address + in NET2. diff --git a/Shorewall6/manpages/shorewall6-netmap.xml b/Shorewall6/manpages/shorewall6-netmap.xml index a401227b9..a8af2bc3e 100644 --- a/Shorewall6/manpages/shorewall6-netmap.xml +++ b/Shorewall6/manpages/shorewall6-netmap.xml @@ -29,8 +29,8 @@ addresses in a second network. It was added in Shorewall6 4.4.23.3. - To use this file, your kernel and ip6tables must have RAWPOST - table support included. + To use this file, your kernel and ip6tables must have NETMAP + support included. The columns in the file are as follows (where the column name is @@ -41,7 +41,7 @@ TYPE - {DNAT|SNAT}:{P|O|T} + role="bold">SNAT} Must be DNAT or SNAT followed by :P, :O or :T to perform @@ -50,29 +50,13 @@ iptables (see the output of shorewall6 show capabilities). - If DNAT:P, traffic entering INTERFACE and addressed to NET1 - has its destination address rewritten to the corresponding address - in NET2. + If DNAT, traffic entering INTERFACE and addressed to NET1 has + its destination address rewritten to the corresponding address in + NET2. - If SNAT:T, traffic leaving INTERFACE with a source address in + If SNAT, traffic leaving INTERFACE with a source address in NET1 has it's source address rewritten to the corresponding address in NET2. - - If DNAT:O, traffic originating on the firewall and leaving via - INTERFACE and addressed to NET1 has its destination address - rewritten to the corresponding address in NET2. - - If DNAT:P, traffic entering via INTERFACE and addressed to - NET1 has its destination address rewritten to the corresponding - address in NET2. - - If SNAT:P, traffic entering via INTERFACE with a destination - address in NET1 has it's source address rewritten to the - corresponding address in NET2. - - If SNAT:O, traffic originating on the firewall and leaving via - INTERFACE with a source address in NET1 has it's source address - rewritten to the corresponding address in NET2.