From dcb4ca61a532ad4eb18e25ae79453622e27135be Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Jun 2009 12:03:05 -0700 Subject: [PATCH] Add iptrace/noiptrace commands --- Shorewall/changelog.txt | 4 +++ Shorewall/releasenotes.txt | 27 +++++++++++++++++++ Shorewall/shorewall | 22 ++++++++++++++++ Shorewall6/shorewall6 | 23 +++++++++++++++- manpages/shorewall-masq.xml | 11 ++++---- manpages/shorewall.xml | 52 +++++++++++++++++++++++++++++++++++++ manpages6/shorewall6.xml | 51 +++++++++++++++++++++++++++++++++--- 7 files changed, 180 insertions(+), 10 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ab5ab250e..b824d79ab 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,10 @@ Changes in Shorewall 4.4.0-Beta2 5) Add 'upnpclient' interface option. +6) Fix handling of optional interfaces. + +7) Add 'iptrace' and 'noiptrace' command. + Changes in Shorewall 4.4.0-Beta1 1) Correct typo in Shorewall6 two-interface sample shorewall.conf. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 851ec8454..8d42aa75a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -149,6 +149,33 @@ None. that, like all aspects of UPnP, this is a security hole so use this option at your own risk. +2) 'iptrace' and 'noiptrace' commands have been added to both + /sbin/shorewall and /sbin/shorewall6. + + These are low-level debugging commands that cause + iptables/ip6tables TRACE log messages to be generated. See 'man + iptables' and 'man ip6tables' for details. + + The syntax for the commands is: + + iptrace + noiptrace + + iptrace starts the trace; noiptrace turns it off. + + The match expression must be an expression that is legal in both + the raw table OUTPUT and PREROUTING chains. + + Examaple: + + To trace all packets desinted for IP address 206.124.146.176: + + shorewall iptrace -d 206.124.146.176 + + To turn that trace off: + + shorewall noiptrace -d 206.124.146.176 + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 ---------------------------------------------------------------------------- diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 2c45658bb..5c62e37c7 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1454,10 +1454,12 @@ usage() # $1 = exit status echo " ipcalc {
/ |
}" echo " ipdecimal {
| }" echo " iprange
-
" + echo " iptrace " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" + echo " noiptrace " echo " refresh [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ ] " @@ -2012,6 +2014,26 @@ case "$COMMAND" in shift safe_commands $@ ;; + iptrace) + get_config + shift + if shorewall_is_started ; then + $IPTABLES -t raw -A PREROUTING $@ -j TRACE + $IPTABLES -t raw -A OUTPUT $@ -j TRACE + else + fatal_error "Shorewall is not started" + fi + ;; + noiptrace) + get_config + shift + if shorewall_is_started ; then + $IPTABLES -t raw -D PREROUTING $@ -j TRACE + $IPTABLES -t raw -D OUTPUT $@ -j TRACE + else + fatal_error "Shorewall is not started" + fi + ;; *) usage 1 ;; diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index 63f3cf763..ece124db5 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -1371,10 +1371,12 @@ usage() # $1 = exit status echo " export [ ] [@][:]" echo " forget [ ]" echo " help" + echo " iptrace " echo " load [ -s ] [ -c ] [ -r ] [ ] " echo " logdrop
..." echo " logreject
..." echo " logwatch []" + echo " noiptrace " echo " refresh [ ... ]" echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ ] " @@ -1857,7 +1859,26 @@ case "$COMMAND" in shift safe_commands $@ ;; - *) + iptrace) + get_config + shift + if shorewall_is_started ; then + $IP6TABLES -t raw -A PREROUTING $@ -j TRACE + $IP6TABLES -t raw -A OUTPUT $@ -j TRACE + else + fatal_error "Shorewall6 is not started" + fi + ;; + noiptrace) + get_config + shift + if shorewall_is_started ; then + $IP6TABLES -t raw -D PREROUTING $@ -j TRACE + $IP6TABLES -t raw -D OUTPUT $@ -j TRACE + else + fatal_error "Shorewall6 is not started" + fi + ;; *) usage 1 ;; diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index e2b20290d..ad9c2a78f 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -119,11 +119,12 @@ Set of hosts that you wish to masquerade. You can specify this as an address (net or host) or as an - interface (use of an interface is deprecated). - If you give the name of an interface, the interface must be up - before you start the firewall and the Shorewall rules compiler will - warn you of that fact. (Shorewall will use your main routing table - to determine the appropriate addresses to masquerade). + interface (use of an + interface is deprecated). If you give the name + of an interface, the interface must be up before you start the + firewall and the Shorewall rules compiler will warn you of that + fact. (Shorewall will use your main routing table to determine the + appropriate addresses to masquerade). In order to exclude a address of the specified SOURCE, you may append an exclusion ("!" and a comma-separated diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 337dd37ee..18d97b860 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -219,6 +219,19 @@ choice="plain">address1address2 + + shorewall + + | + + -options + + + + iptables match + expression + + shorewall @@ -279,6 +292,19 @@ address + + shorewall + + | + + -options + + + + iptables match + expression + + shorewall @@ -835,6 +861,19 @@ + + iptrace + + + This is a low-level debugging command that causes iptables + TRACE log records to be created. See iptables(8) for details. + + The iptables match expression must + be one or more matches that may appear in both the raw table OUTPUT + and raw table PREROUTING chains. + + + load @@ -919,6 +958,19 @@ + + noiptrace + + + This is a low-level debugging command that cancels a trace + started by a preceding iptrace command. + + The iptables match expression must + be one given in the iptrace command being + cancelled. + + + refresh diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index 56a79bbd3..cac783ddc 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -144,6 +144,19 @@ + + shorewall6 + + | + + -options + + + + iptables match + expression + + shorewall6 @@ -204,6 +217,19 @@ address + + shorewall6 + + | + + -options + + + + iptables match + expression + + shorewall6 @@ -670,12 +696,16 @@ - hits + iptrace - Generates several reports from Shorewall6 log messages in the - current log file. If the option is included, the - reports are restricted to log messages generated today. + This is a low-level debugging command that causes iptables + TRACE log records to be created. See ip6tables(8) for + details. + + The iptables match expression must + be one or more matches that may appear in both the raw table OUTPUT + and raw table PREROUTING chains. @@ -763,6 +793,19 @@ + + noiptrace + + + This is a low-level debugging command that cancels a trace + started by a preceding iptrace command. + + The iptables match expression must + be one given in the iptrace command being + cancelled. + + + refresh