This commit is contained in:
Tom Eastep 2009-11-28 07:23:23 -08:00
parent 4e8d753682
commit e5106f10bc
10 changed files with 24 additions and 92 deletions

View File

@ -167,7 +167,7 @@ our %EXPORT_TAGS = (
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_5'; our $VERSION = '4.4_4';
# #
# Chain Table # Chain Table
@ -1185,18 +1185,9 @@ sub finish_section ( $ ) {
$sections{$_} = 1 for split /,/, $sections; $sections{$_} = 1 for split /,/, $sections;
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
my $mark = defined_zone( $zone )->{mark};
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $mark1 = ( defined_zone( $zone1 )->{mark} || 0 ) << VIRTUAL_BITS;
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )}; my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
finish_chain_section $chainref, $sections if $chainref->{referenced};
finish_chain_section $chainref, $sections if $chainref->{referenced} || $mark || $mark1;
if ( $sections{RELATED} ) {
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark) if $mark;
add_rule $chainref, '-j MARK --or-mark ' . in_hex($mark1) if $mark1;
}
} }
} }
} }

View File

@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
our $VERSION = '4.4_5'; our $VERSION = '4.4_4';
# #
# describe the current command, it's present progressive, and it's completion. # describe the current command, it's present progressive, and it's completion.
@ -242,7 +242,6 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
IPMARK_TARGET => 'IPMARK Target', IPMARK_TARGET => 'IPMARK Target',
PERSISTENT_SNAT => 'Persistent SNAT', PERSISTENT_SNAT => 'Persistent SNAT',
OLD_HL_MATCH => 'Old Hash Limit Match', OLD_HL_MATCH => 'Old Hash Limit Match',
MARK_IN_FILTER => 'MARK in Filter Table',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
); );
# #
@ -620,7 +619,6 @@ sub initialize( $ ) {
LOG_TARGET => 1, # Assume that we have it. LOG_TARGET => 1, # Assume that we have it.
PERSISTENT_SNAT => undef, PERSISTENT_SNAT => undef,
OLD_HL_MATCH => undef, OLD_HL_MATCH => undef,
MARK_IN_FILTER => undef,
CAPVERSION => undef, CAPVERSION => undef,
); );
# #
@ -2033,7 +2031,6 @@ sub determine_capabilities( $ ) {
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
$capabilities{MARK_IN_FILTER} = qt1( "$iptables -A $sillyname -j MARK --set-mark 1" );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ); $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );

View File

@ -348,16 +348,8 @@ sub validate_policy()
add_or_modify_policy_chain( $zone1, $zone ); add_or_modify_policy_chain( $zone1, $zone );
} }
} }
} elsif ( defined_zone( $zone )->{virtual} ) {
for my $zone1 ( @{defined_zone( $zone )->{children}} ) {
for my $zone2 ( all_zones ) {
unless ( $zone1 eq $zone2 ) {
add_or_modify_policy_chain( $zone1, $zone2 );
add_or_modify_policy_chain( $zone2, $zone1 );
} }
} }
}
} }
my $fn = open_file 'policy'; my $fn = open_file 'policy';

View File

@ -1724,11 +1724,10 @@ sub generate_matrix() {
for my $hostref ( @{$arrayref} ) { for my $hostref ( @{$arrayref} ) {
my $ipsec_match = match_ipsec_in $zone , $hostref; my $ipsec_match = match_ipsec_in $zone , $hostref;
my $exclusion = source_exclusion( $hostref->{exclusions}, $frwd_ref );
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_jump( add_jump(
$sourcechainref, $sourcechainref,
$exclusion, source_exclusion( $hostref->{exclusions}, $frwd_ref ),
! @{$zoneref->{parents}}, ! @{$zoneref->{parents}},
join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
); );
@ -1760,7 +1759,6 @@ sub generate_matrix() {
my $nested = $zoneref->{options}{nested}; my $nested = $zoneref->{options}{nested};
my $parenthasnat = 0; my $parenthasnat = 0;
my $parenthasnotrack = 0; my $parenthasnotrack = 0;
my $virtual = $zoneref->{virtual};
if ( $nested ) { if ( $nested ) {
# #
@ -1825,8 +1823,6 @@ sub generate_matrix() {
my $outputref; my $outputref;
my $interfacematch = ''; my $interfacematch = '';
add_jump $filter_table->{OUTPUT}, $chain1, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
if ( use_output_chain $interface ) { if ( use_output_chain $interface ) {
$outputref = $filter_table->{output_chain $interface}; $outputref = $filter_table->{output_chain $interface};
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
@ -1885,7 +1881,6 @@ sub generate_matrix() {
} }
if ( $chain2 ) { if ( $chain2 ) {
add_jump $filter_table->{INPUT}, $chain2, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match ); add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface; move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface;
} }
@ -1958,11 +1953,6 @@ sub generate_matrix() {
} else { } else {
@dest_zones = @zones ; @dest_zones = @zones ;
} }
if ( $frwd_ref ) {
add_jump $filter_table->{FORWARD}, $frwd_ref, 0, "-m mark --mark ! 0/" . in_hex($virtual) if $virtual;
}
# #
# Here it is -- THE BIG UGLY!!!!!!!!!!!! # Here it is -- THE BIG UGLY!!!!!!!!!!!!
# #
@ -1971,7 +1961,6 @@ sub generate_matrix() {
# #
for my $zone1 ( @dest_zones ) { for my $zone1 ( @dest_zones ) {
my $zone1ref = find_zone( $zone1 ); my $zone1ref = find_zone( $zone1 );
my $virtual1 = $zone1ref->{virtual};
next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE'; next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
@ -2001,9 +1990,8 @@ sub generate_matrix() {
next if $hostref->{options}{sourceonly}; next if $hostref->{options}{sourceonly};
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_jump( $frwd_ref, $exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ) ); add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
} }
} }
} }
@ -2044,7 +2032,6 @@ sub generate_matrix() {
for my $host1ref ( @$array1ref ) { for my $host1ref ( @$array1ref ) {
next if $host1ref->{options}{sourceonly}; next if $host1ref->{options}{sourceonly};
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
my $exclusion = dest_exclusion( $host1ref->{exclusions}, $chain );
for my $net1 ( @{$host1ref->{hosts}} ) { for my $net1 ( @{$host1ref->{hosts}} ) {
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
# #
@ -2052,7 +2039,7 @@ sub generate_matrix() {
# #
add_jump( add_jump(
$excl3ref , $excl3ref ,
$exclusion, dest_exclusion( $host1ref->{exclusions}, $chain ),
0, 0,
join( '', join( '',
$match_source_dev, $match_source_dev,
@ -2061,11 +2048,6 @@ sub generate_matrix() {
match_dest_net($net1), match_dest_net($net1),
$ipsec_out_match ) $ipsec_out_match )
); );
add_jump($excl3ref ,
$exclusion,
0,
"-m mark ! --mark 0/" . in_hex($virtual1) ) if $virtual1;
} }
} }
} }

View File

@ -40,7 +40,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc ); our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize ); our @EXPORT_OK = qw( process_tc_rule initialize );
our $VERSION = '4.4_5'; our $VERSION = '4.4_4';
our %tcs = ( T => { chain => 'tcpost', our %tcs = ( T => { chain => 'tcpost',
connmark => 0, connmark => 0,
@ -1235,7 +1235,6 @@ sub setup_tc() {
if ( $capabilities{MANGLE_FORWARD} ) { if ( $capabilities{MANGLE_FORWARD} ) {
add_rule $mangle_table->{FORWARD} , '-j tcfor'; add_rule $mangle_table->{FORWARD} , '-j tcfor';
add_rule $mangle_table->{POSTROUTING}, '-j MARK --and-mark 0xffffff'; # Clear virtual marks
add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
} }

View File

@ -40,7 +40,6 @@ our @EXPORT = qw( NOTHING
IP IP
BPORT BPORT
IPSEC IPSEC
VIRTUAL_BITS
determine_zones determine_zones
zone_report zone_report
@ -76,7 +75,7 @@ our @EXPORT = qw( NOTHING
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_5'; our $VERSION = '4.4_4';
# #
# IPSEC Option types # IPSEC Option types
@ -105,8 +104,6 @@ use constant { NOTHING => 'NOTHING',
# children => [ <children> ] # children => [ <children> ]
# interfaces => { <interfaces1> => 1, ... } # interfaces => { <interfaces1> => 1, ... }
# bridge => <bridge> # bridge => <bridge>
# virtual => <virtual zone mark>
# mark => <LORed virtual zone marks of parent virtual zones>
# hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none' # hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none'
# options => { <option1> => <value1> # options => { <option1> => <value1>
# ... # ...
@ -159,7 +156,6 @@ our @bport_zones;
our %ipsets; our %ipsets;
our %physical; our %physical;
our $family; our $family;
our $virtualmark;
use constant { FIREWALL => 1, use constant { FIREWALL => 1,
IP => 2, IP => 2,
@ -180,11 +176,6 @@ use constant { SIMPLE_IF_OPTION => 1,
IF_OPTION_HOST => 16, IF_OPTION_HOST => 16,
}; };
use constant { VIRTUAL_BASE => 0x1000000 ,
VIRTUAL_LIMIT => 0x8000000 ,
VIRTUAL_BITS => 4 #Bits for virtual MASK numbers
};
our %validinterfaceoptions; our %validinterfaceoptions;
our %validhostoptions; our %validhostoptions;
@ -210,7 +201,6 @@ sub initialize( $ ) {
@bport_zones = (); @bport_zones = ();
%ipsets = (); %ipsets = ();
%physical = (); %physical = ();
$virtualmark = VIRTUAL_BASE;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION, %validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
@ -363,8 +353,6 @@ sub process_zone( \$ ) {
my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file'; my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
my $mark = 0;
if ( $zone =~ /(\w+):([\w,]+)/ ) { if ( $zone =~ /(\w+):([\w,]+)/ ) {
$zone = $1; $zone = $1;
@parents = split_list $2, 'zone'; @parents = split_list $2, 'zone';
@ -373,7 +361,6 @@ sub process_zone( \$ ) {
fatal_error "Invalid Parent List ($2)" unless $p; fatal_error "Invalid Parent List ($2)" unless $p;
fatal_error "Unknown parent zone ($p)" unless $zones{$p}; fatal_error "Unknown parent zone ($p)" unless $zones{$p};
fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL; fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
$mark |= $zones{$p}{virtual};
push @{$zones{$p}{children}}, $zone; push @{$zones{$p}{children}}, $zone;
} }
} }
@ -415,17 +402,6 @@ sub process_zone( \$ ) {
} }
} }
my $virtual = 0;
if ( $options eq 'virtual' ) {
require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
fatal_error "Only ipv${family} zones may be virtual" unless $type == IP;
fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
$virtual = $virtualmark;
$virtualmark = $virtualmark << 1;
$options = '';
}
for ( $options, $in_options, $out_options ) { for ( $options, $in_options, $out_options ) {
$_ = '' if $_ eq '-'; $_ = '' if $_ eq '-';
} }
@ -433,8 +409,6 @@ sub process_zone( \$ ) {
$zones{$zone} = { type => $type, $zones{$zone} = { type => $type,
parents => \@parents, parents => \@parents,
bridge => '', bridge => '',
virtual => $virtual,
mark => $mark ,
options => { in_out => parse_zone_option_list( $options || '', $type ) , options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) ,
@ -556,8 +530,9 @@ sub zone_report()
unless ( $printed ) { unless ( $printed ) {
fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge}; fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} ); warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
} }
} }
} }
@ -612,12 +587,6 @@ sub dump_zone_contents()
} }
} }
if ( $zoneref->{virtual} && @{$zoneref->{children}} ) {
$entry .= " (";
$entry .= "$_," for @{$zoneref->{children}};
$entry =~ s/,$/) /;
}
emit_unindented $entry; emit_unindented $entry;
} }
} }

View File

@ -12,7 +12,7 @@ Changes in Shorewall 4.4.5
6) Fix 'show policies' in Shorewall6. 6) Fix 'show policies' in Shorewall6.
7) Limit the maximum provider mark to 0xff0000. 7) Limit the maximum provider mark to 0xf0000.
Changes in Shorewall 4.4.4 Changes in Shorewall 4.4.4

View File

@ -30,7 +30,7 @@
# #
SHOREWALL_LIBVERSION=40000 SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40405 SHOREWALL_CAPVERSION=40402
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -828,7 +828,6 @@ determine_capabilities() {
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
PERSISTENT_SNAT= PERSISTENT_SNAT=
MARK_IN_FILTER=
chain=fooX$$ chain=fooX$$
@ -959,7 +958,6 @@ determine_capabilities() {
qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
qt $IPTABLES -A $chain -j LOG || LOG_TARGET= qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
qt $IPTABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes
qt $IPTABLES -F $chain qt $IPTABLES -F $chain
qt $IPTABLES -X $chain qt $IPTABLES -X $chain
@ -1028,7 +1026,6 @@ report_capabilities() {
report_capability "IPMARK Target" $IPMARK_TARGET report_capability "IPMARK Target" $IPMARK_TARGET
report_capability "LOG Target" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "Persistent SNAT" $PERSISTENT_SNAT report_capability "Persistent SNAT" $PERSISTENT_SNAT
report_capability "Mark in Filter Table" $MARK_IN_FILTER
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1088,7 +1085,6 @@ report_capabilities1() {
report_capability1 IPMARK_TARGET report_capability1 IPMARK_TARGET
report_capability1 LOG_TARGET report_capability1 LOG_TARGET
report_capability1 PERSISTENT_SNAT report_capability1 PERSISTENT_SNAT
report_capability1 MARK_IN_FILTER
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
} }

View File

@ -173,6 +173,10 @@ Shorewall 4.4.5
default. If, for some reason, you don't want 'track' then specify default. If, for some reason, you don't want 'track' then specify
'notrack' for the provider. 'notrack' for the provider.
14) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum
provider mark value is 0xf0000. This limits the number of providers
to 15.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 P R O B L E M S C O R R E C T E D I N 4 . 4 . 5
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -230,6 +234,10 @@ None.
$FW dmz REJECT info $FW dmz REJECT info
$FW all ACCEPT $FW all ACCEPT
3) With HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes, the maximum
provider mark value is now 0xf0000. This limits the number of
providers to 15.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

View File

@ -33,7 +33,7 @@
# #
SHOREWALL_LIBVERSION=40300 SHOREWALL_LIBVERSION=40300
SHOREWALL_CAPVERSION=40405 SHOREWALL_CAPVERSION=40402
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@ -737,7 +737,6 @@ determine_capabilities() {
GOTO_TARGET= GOTO_TARGET=
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
MARK_IN_FILTER=Yes
chain=fooX$$ chain=fooX$$
@ -865,7 +864,6 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
qt $IP6TABLES -A $chain -j MARK --set-mark 1 && MARK_IN_FILTER=Yes
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
qt $IP6TABLES -F $chain qt $IP6TABLES -F $chain