Backport DROPINVALID from 2.2.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1925 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE2/actions.std

@@ -9,9 +9,11 @@
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
-#    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#    rLogNonSyn         #Log Non-syn TCP packets with disposition REJECT
 #    dropInvalid	#Silently Drop packets that are in the INVALID
 #                       #conntrack state.
+#    allowInvalid       #Accept packets that are in the INVALID conntrack
+#                       #state
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.

STABLE2/changelog.txt

@@ -115,3 +115,7 @@ Changes in 2.0.15
 1)  Increased port range for Traceroute.
 
 2)  Corrected port of rate-limit logging change.
+
+Changes in 2.0.16
+
+1)  Backport DROPINVALID from 2.2.0.

STABLE2/firewall

@@ -2807,7 +2807,7 @@ createactionchain() # $1 = chain name
 
 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid allowInvalid"
     USEDACTIONS=
 
     strip_file actions
@@ -2952,6 +2952,9 @@ process_actions2() {
 	    dropInvalid)
 		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
 		;;
+	    allowInvalid)
+		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j ACCEPT
+		;;
 	    *)
 		f=action.$xaction
 		fn=$(find_file $f)
@@ -4831,7 +4834,8 @@ initialize_netfilter () {
 
     for chain in INPUT OUTPUT FORWARD; do
 	run_iptables -A $chain -p udp --dport 53 -j ACCEPT
-	run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
+	[ -n "$DROPINVALID" ] && \
+	    run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
     done
 
     [ -n "$CLAMPMSS" ] && \
@@ -6061,6 +6065,7 @@ do_initialize() {
     BRIDGING=
     DYNAMIC_ZONES=
     PKTTYPE=
+    DROPINVALID=
     RESTOREBASE=
     TMP_DIR=
 
@@ -6234,7 +6239,7 @@ do_initialize() {
     BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
     DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
     PKTTYPE=$(added_param_value_yes PKTTYPE $PKTTYPE)
-
+    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
     #
     # Strip the files that we use often
     #

STABLE2/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 2.0.15
+Shorewall 2.0.16
 
 ----------------------------------------------------------------------
 Problems Corrected in version 2.0.4
@@ -276,3 +276,26 @@ Problems corrected in 2.0.15
 
       Bad argument `DROP'
       Try `iptables -h' or 'iptables --help' for more information.
+-----------------------------------------------------------------------
+New Features in 2.0.16
+
+1)  Recent 2.6 kernels include code that evaluates TCP packets based on
+    TCP Window analysis. This can cause packets that were previously
+    classified as NEW or ESTABLISHED to be classified as INVALID.
+
+    The new kernel code can be disabled by including this command in
+    your /etc/shorewall/init file:
+
+    echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+
+    Additional kernel logging about INVALID TCP packets may be
+    obtained by adding this command to /etc/shorewall/init:
+
+    echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
+
+    Traditionally, Shorewall has dropped INVALID TCP packets early. The
+    new DROPINVALID option allows INVALID packets to be passed through
+    the normal rules chains by setting DROPINVALID=No.
+
+    If not specified or if specified as empty (e.g., DROPINVALID="")
+    then DROPINVALID=Yes is assumed.

STABLE2/shorewall.conf

@@ -620,6 +620,41 @@ DYNAMIC_ZONES=No
 # (PKTTYPE="") then PKTTYPE=Yes is assumed.
 
 PKTTYPE=Yes
+
+#
+# DROP INVALID PACKETS
+#
+# Netfilter classifies packets relative to its connection tracking table into
+# four states:
+#
+#	NEW - thes packet initiates a new connection
+#	ESTABLISHED - thes packet is part of an established connection
+#	RELATED - thes packet is related to an established connection; it may
+#	          establish a new connection
+#	INVALID - the packet does not related to the table in any sensible way.
+#
+# Recent 2.6 kernels include code that evaluates TCP packets based on TCP 
+# Window analysis. This can cause packets that were previously classified as 
+# NEW or ESTABLISHED to be classified as INVALID.
+#
+# The new kernel code can be disabled by including this command in your
+# /etc/shorewall/init file:
+#
+# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+#
+# Additional kernel logging about INVALID TCP packets may be obtained by
+# adding this command to /etc/shorewall/init:
+#
+#  echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
+#
+# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
+# option allows INVALID packets to be passed through the normal rules chains by
+# setting DROPINVALID=No.
+#
+# If not specified or if specified as empty (e.g., DROPINVALID="") then
+# DROPINVALID=Yes is assumed.
+
+DROPINVALID=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################