diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 0e6b24572..105aef5f2 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1470,10 +1470,22 @@ do_dump_command() { $g_tool -t rawpost -L $g_ipt_options fi - local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) - local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + local count + local max - heading "Conntrack Table ($count out of $max)" + if [ -f /proc/sys/net/netfilter/nf_conntrack_count ]; then + count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + + heading "Conntrack Table ($count out of $max)" + elif [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_count ]; then + count=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count) + max=$(cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max) + + heading "Conntrack Table ($count out of $max)" + else + heading "Conntrack Table" + fi if [ $g_family -eq 4 ]; then [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack @@ -3583,7 +3595,6 @@ usage() # $1 = exit status echo " start [ -f ] [ -p ] [ ]" echo " stop" echo " status [ -i ]" - echo " run [ function ... ]" echo " version [ -a ]" echo exit $1 diff --git a/Shorewall-init/shorewall-init b/Shorewall-init/shorewall-init index dea336538..52b1e6426 100644 --- a/Shorewall-init/shorewall-init +++ b/Shorewall-init/shorewall-init @@ -63,18 +63,19 @@ shorewall_start () { for PRODUCT in $PRODUCTS; do setstatedir - if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then + if [ -x ${STATEDIR}/firewall ]; then # # Run in a sub-shell to avoid name collisions # ( - if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then - ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || exit 1 + if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then + ${STATEDIR}/firewall ${OPTIONS} stop || exit 1 else exit 1 fi ) else + echo ERROR: ${STATEDIR}/firewall does not exist or is not executable! exit 1 fi done @@ -95,8 +96,8 @@ shorewall_stop () { for PRODUCT in $PRODUCTS; do setstatedir - if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then - ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || exit 1 + if [ -x ${STATEDIR}/firewall ]; then + ${STATEDIR}/firewall ${OPTIONS} clear || exit 1 fi done diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 69c62574d..add7313af 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -155,8 +155,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_; - $acctable = $config{ACCOUNTING_TABLE}; - $jumpchainref = 0; $asection = LEGACY if $asection < 0; @@ -453,6 +451,8 @@ sub setup_accounting() { set_section_function( &process_section ); + $acctable = $config{ACCOUNTING_TABLE}; + first_entry "$doing $fn..."; my $nonEmpty = 0; diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index a0ce20821..5330e45a9 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -308,13 +308,14 @@ sub generate_script_2() { set_global_variables(1); - handle_optional_interfaces(0); - if ( $global_variables & NOT_RESTORE ) { + handle_optional_interfaces(0); emit ';;'; pop_indent; pop_indent; emit ( 'esac' ); + } else { + handle_optional_interfaces(1); } } else { emit( 'true' ) unless handle_optional_interfaces(1); diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index e0a3fb662..8f43fde7a 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -994,7 +994,7 @@ sub add_common_rules ( $$ ) { for my $hostref ( @$list ) { $interface = $hostref->[0]; my $ipsec = $hostref->[1]; - my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); + my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my $target = source_exclusion( $hostref->[3], $chainref ); for $chain ( option_chains $interface ) { @@ -1118,7 +1118,8 @@ sub add_common_rules ( $$ ) { for my $hostref ( @$list ) { my $interface = $hostref->[0]; my $target = source_exclusion( $hostref->[3], $chainref ); - my @policy = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : (); + my $ipsec = $hostref->[1]; + my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); for $chain ( option_chains $interface ) { add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy ); @@ -1289,7 +1290,7 @@ sub setup_mac_lists( $ ) { for my $hostref ( @$maclist_hosts ) { my $interface = $hostref->[0]; my $ipsec = $hostref->[1]; - my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); + my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my @source = imatch_source_net $hostref->[2]; my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 7bfa883d0..064569e1f 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -460,6 +460,9 @@ sub process_a_provider( $ ) { fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface; + # + # Switch to the logical name if a physical name was passed + # my $physical; if ( $interface eq $interfaceref->{name} ) { @@ -1293,9 +1296,11 @@ sub start_providers() { emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo}; } - emit_unindented "EOF\n"; + emit_unindented 'EOF'; - emit "fi\n"; + emit( 'else', + ' error_message "WARNING: /etc/iproute2/rt_tables is missing or is not writeable"', + "fi\n" ); } emit ( '#', @@ -1892,8 +1897,10 @@ sub handle_optional_interfaces( $ ) { if ( @$interfaces ) { my $require = $config{REQUIRE_INTERFACE}; + my $gencase = shift; - verify_required_interfaces( shift ); + verify_required_interfaces( $gencase ); + emit '' if $gencase; emit( 'HAVE_INTERFACE=', '' ) if $require; # diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index df3848f91..98b323c67 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -2121,14 +2121,26 @@ sub have_ipsec() { sub find_hosts_by_option( $ ) { my $option = $_[0]; my @hosts; + my %done; + + for my $interface ( @interfaces ) { + my $value = $interfaces{$interface}{options}{$option}; + if ( ! $interfaces{$interface}{zone} && $value ) { + push @hosts, [ $interface, '', ALLIP , [], $value ]; + $done{$interface} = 1; + } + } for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) { while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { for my $host ( @{$arrayref} ) { - if ( my $value = $host->{options}{$option} ) { - for my $net ( @{$host->{hosts}} ) { - push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ]; + my $ipsec = $host->{ipsec}; + unless ( $done{$interface} ) { + if ( my $value = $host->{options}{$option} ) { + for my $net ( @{$host->{hosts}} ) { + push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ]; + } } } } @@ -2136,12 +2148,6 @@ sub find_hosts_by_option( $ ) { } } - for my $interface ( @interfaces ) { - if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) { - push @hosts, [ $interface, 'none', ALLIP , [] ]; - } - } - \@hosts; } diff --git a/docs/Events.xml b/docs/Events.xml index f820b0c81..cf41ae00a 100644 --- a/docs/Events.xml +++ b/docs/Events.xml @@ -705,8 +705,9 @@ Knock net $FW tcp 22,1599-1601
Stateful Port Knocking (knock with a sequence of ports) - Gerhard Wiesinger has contributed a Perl module that allows you to - define portknocking sequences. Download Gerhard Wiesinger + has contributed a Perl module that allows you to define portknocking + sequences. Download the module and copy it into your site_perl directory. diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index fb6b93be5..8dceec00d 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -2123,6 +2123,11 @@ net eth1 detect optional< later. + /etc/shorewall/params: + + EXT_IF=eth0 +COM_IF=eth1 + /etc/shorewall/isusable: local status=0