holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Eliminate WIDE_TC_MARKS, HIGH_ROUTE_MARKS and BLACKLISTNEWONLY

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-21 12:42:19 -07:00
parent 80acdd2836
commit f4776bf388
3 changed files with 78 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
Shorewall/Perl/Shorewall/Config.pm
View File

@ -599,16 +599,12 @@ our %validlevels; # Valid log levels.
#
# Deprecated options with their default values
#
our %deprecated = ( WIDE_TC_MARKS => 'no',
HIGH_ROUTE_MARKS => 'no',
BLACKLISTNEWONLY => 'yes',
our %deprecated = (
);
#
# Deprecated options that are eliminated via update
#
our %converted = ( WIDE_TC_MARKS => 1,
HIGH_ROUTE_MARKS => 1,
BLACKLISTNEWONLY => 1,
our %converted = (
);
#
# Eliminated options
@ -618,6 +614,9 @@ our %eliminated = ( LOGRATE => 1,
EXPORTPARAMS => 1,
LEGACY_FASTSTART => 1,
IPSECFILE => 1,
WIDE_TC_MARKS => 1,
HIGH_ROUTE_MARKS => 1,
BLACKLISTNEWONLY => 1,
);
#
# Variables involved in ?IF, ?ELSE ?ENDIF processing
@ -727,6 +726,8 @@ sub initialize( $;$$) {
LOGFORMAT => undef,
LOGTAGONLY => undef,
LOGLIMIT => undef,
LOGRATE => undef,
LOGBURST => undef,
LOGALLNEW => undef,
BLACKLIST_LOG_LEVEL => undef,
RELATED_LOG_LEVEL => undef,
@ -4905,15 +4906,20 @@ sub process_shorewall_conf( $$$ ) {
if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
my ($var, $val) = ($1, $2);
unless ( exists $config{$var} ) {
if ( exists $renamed{$var} ) {
$var = $renamed{$var};
} elsif ( $eliminated{$var} ) {
if ( exists $config{$var} ) {
if ( $eliminated{$var} && ! $update ) {
fatal_error "The $var configuration option has been superceded - please run '$product update'";
}
} elsif ( exists $renamed{$var} ) {
$var = $renamed{$var};
} else {
if ( $eliminated{$var} ) {
warning_message "The $var configuration option is no longer supported";
} else {
warning_message "Unknown configuration option ($var) ignored";
next ;
}
next;
}
$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
@ -5494,6 +5500,18 @@ sub get_configuration( $$$$$ ) {
}
$globals{LOGLIMIT} = $limit;
} elsif ( $update && ( $config{LOGRATE} || $config{LOGBURST} ) ) {
if ( supplied $config{LOGRATE} ) {
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
}
if ( supplied $config{LOGBURST} ) {
fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/;
}
$globals{LOGLIMIT} = '-m limit ';
$globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if supplied $config{LOGRATE};
$globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if supplied $config{LOGBURST};
} else {
$globals{LOGLIMIT} = '';
}
@ -5680,8 +5698,11 @@ sub get_configuration( $$$$$ ) {
default_yes_no 'USE_DEFAULT_RT' , '';
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
default_yes_no 'AUTOMAKE' , '';
default_yes_no 'WIDE_TC_MARKS' , '';
default_yes_no 'TRACK_PROVIDERS' , '';
if ($update) {
default_yes_no 'WIDE_TC_MARKS' , '';
default_yes_no 'TRACK_PROVIDERS' , '';
}
unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@ -5715,10 +5736,18 @@ sub get_configuration( $$$$$ ) {
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS};
numeric_option 'PROVIDER_BITS' , 8, 0;
numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
if ( $update ) {
numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS};
numeric_option 'PROVIDER_BITS' , 8, 0;
numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
} else {
numeric_option 'TC_BITS' , 8, 0;
numeric_option 'MASK_BITS' , 8, 0;
numeric_option 'PROVIDER_OFFSET' , 8, 0;
}
numeric_option 'PROVIDER_BITS' , 8, 0;
numeric_option 'ZONE_BITS' , 0, 0;
require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's' if $config{ZONE_BITS};

147
Shorewall/manpages/shorewall.conf.xml
View File

@ -473,10 +473,10 @@
UNTRACKED.</para>
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
option below. Specifies the connection tracking states that are to
be subject to blacklist screening. If neither BLACKLIST nor
BLACKLISTNEWONLY are specified then the states subject to
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
option. Specifies the connection tracking states that are to be
subject to blacklist screening. If BLACKLIST is not specified then
the states subject to blacklisting are
NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
<para>ALL sends all packets through the blacklist chains.</para>
@ -529,37 +529,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTNEWONLY=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
above.</para>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections and for packets in the INVALID connection state (such as
TCP SYN,ACK when there has been no corresponding SYN). That includes
entries in the <ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)
file and in the BLACKLIST section of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>
(5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticeably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note>
<para>BLACKLISTNEWONLY=No is incompatible with
FASTACCEPT=Yes.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -844,11 +813,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5).</para>
<note>
<para>FASTACCEPT=Yes is incompatible with
BLACKLISTNEWONLY=No.</para>
</note>
</listitem>
</varlistentry>
@ -952,74 +916,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated in Shorewall 4.4.26 in favor of
PROVIDER_OFFSET.</para>
<para>Prior to version 3.2.0, it was not possible to use connection
marking in <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5)
if you had a multi-ISP configuration that uses the track
option.</para>
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
packet mark and connection mark into two mark fields.</para>
<para>The width of the fields are determined by the setting of
WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default):</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The MARK field in the providers file must have a value
that is less than 65536 and that is a multiple of 256 (using hex
representation, the values are 0x0100-0xFF00 with the low-order
8 bits being zero).</para>
</listitem>
<listitem>
<para>You may only set those mark values in the PREROUTING
chain.</para>
</listitem>
<listitem>
<para>Marks used for traffic shaping must still be in the range
of 1-255 and may still not be set in the PREROUTING
chain.</para>
</listitem>
</orderedlist>
<para>When WIDE_TC_MARKS=Yes:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The MARK field in the providers file must have a value
that is a multiple of 65536 (using hex representation, the
values are 0x010000-0xFF0000 with the low-order 16 bits being
zero).</para>
</listitem>
<listitem>
<para>You may only set those mark values in the PREROUTING
chain.</para>
</listitem>
<listitem>
<para>Marks used for traffic shaping must be in the range of
1-16383 and may still not be set in the PREROUTING chain.</para>
</listitem>
</orderedlist>
<para>Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
RESTORE in tcrules, only the TC mark value is saved or restored.
Shorewall handles saving and restoring the routing (provider)
marks.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">IGNOREUNKNOWNVARIABLES=</emphasis>[<emphasis
@ -1652,11 +1548,11 @@ LOG:info:,bar net fw</programlisting>
PREROUTING chain. This permits you to mark inbound traffic based on
its destination address when DNAT is in use. To determine if your
kernel has a FORWARD chain in the mangle table, use the <emphasis
role="bold">/sbin/shorewall show mangle</emphasis> command; if a
FORWARD chain is displayed then your kernel will support this
option. If this option is not specified or if it is given the empty
value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
is assumed.</para>
role="bold">shorewall show mangle</emphasis> command; if a FORWARD
chain is displayed then your kernel will support this option. If
this option is not specified or if it is given the empty value
(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
assumed.</para>
</listitem>
</varlistentry>
@ -1668,8 +1564,9 @@ LOG:info:,bar net fw</programlisting>
<para>Added in Shorewall 4.4.26. Number of bits on the right of the
32-bit packet mark to be masked when clearing the traffic shaping
mark. Must be &gt;= TC_BITS and &lt;= PROVIDER_OFFSET (if
PROVIDER_OFFSET &gt; 0). Default value and the default values of the
other mark layout options is determined as follows:</para>
PROVIDER_OFFSET &gt; 0). Prior to Shorewall 5.0.0, default value and
the default values of the other mark layout options is determined as
follows:</para>
<table frame="none">
<title>Default Packet Mark Layout</title>
@ -1706,6 +1603,10 @@ LOG:info:,bar net fw</programlisting>
</tbody>
</tgroup>
</table>
<para>From 5.0.0 onward, the default value of MASK_BITS is 8, the
default value of PROVIDER_BITS, TC_BITS, MASK_BITS and
PROVIDER_OFFSET is 8.</para>
</listitem>
</varlistentry>
@ -2900,22 +2801,6 @@ INLINE - - - ; -j REJECT
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
MASK_BITS.</para>
<para>When set to No (the default), traffic shaping marks are 8
bytes wide (possible values are 1-255). When WIDE_TC_MARKS=Yes,
traffic shaping marks are 14 bytes wide (values 1-16383). The
setting of WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS
option (see above).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">WORKAROUNDS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

129
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -404,10 +404,10 @@
UNTRACKED.</para>
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
option below. Specifies the connection tracking states that are to
be subject to blacklist screening. If neither BLACKLIST nor
BLACKLISTNEWONLY are specified then the states subject to
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
option. Specifies the connection tracking states that are to be
subject to blacklist screening. If BLACKLIST is not specified then
the states subject to blacklisting are
NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
is specified.</para>
@ -449,39 +449,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTNEWONLY=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
above.</para>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections, for packets in the INVALID connection state (such as a
TCP SYN,ACK when there has been no corresponding SYN), and for
packets that are UNTRACKED due to entries in <ulink
url="/manpages6/shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
This includes entries in the <ulink
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>
(5) file and in the BLACKLIST section of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>
(5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticeably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note>
<para>BLACKLISTNEWONLY=No is incompatible with
FASTACCEPT=Yes.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN_SCRIPTS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -725,11 +692,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
<note>
<para>FASTACCEPT=Yes is incompatible with
BLACKLISTNEWONLY=No.</para>
</note>
</listitem>
</varlistentry>
@ -833,70 +795,6 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Deprecated in Shorewall 4.4.26 in favor of
PROVIDER_OFFSET.</para>
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
packet mark and connection mark into two mark fields.</para>
<para>The width of the fields are determined by the setting of the
WIDE_TC_MARKS option.</para>
<para>When WIDE_TC_MARKS=No (the default):</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The MARK field in the providers file must have a value
that is less than 65536 and that is a multiple of 256 (using hex
representation, the values are 0x0100-0xFF00 with the low-order
8 bits being zero).</para>
</listitem>
<listitem>
<para>You may only set those mark values in the PREROUTING
chain.</para>
</listitem>
<listitem>
<para>Marks used for traffic shaping must still be in the range
of 1-255 and may still not be set in the PREROUTING
chain.</para>
</listitem>
</orderedlist>
<para>When WIDE_TC_MARKS=Yes:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The MARK field in the providers file must have a value
that is a multiple of 65536 (using hex representation, the
values are 0x010000-0xFF0000 with the low-order 16 bits being
zero).</para>
</listitem>
<listitem>
<para>You may only set those mark values in the PREROUTING
chain.</para>
</listitem>
<listitem>
<para>Marks used for traffic shaping must be in the range of
1-16383 and may still not be set in the PREROUTING chain.</para>
</listitem>
</orderedlist>
<para>Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
RESTORE in tcrules, only the TC mark value is saved or restored.
Shorewall handles saving and restoring the routing (provider)
marks.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IMPLICIT_CONTINUE=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1465,11 +1363,11 @@ LOG:info:,bar net fw</programlisting>
PREROUTING chain. This permits you to mark inbound traffic based on
its destination address when DNAT is in use. To determine if your
kernel has a FORWARD chain in the mangle table, use the <emphasis
role="bold">/sbin/shorewall6 show mangle</emphasis> command; if a
FORWARD chain is displayed then your kernel will support this
option. If this option is not specified or if it is given the empty
value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
is assumed.</para>
role="bold">/shorewall6 show mangle</emphasis> command; if a FORWARD
chain is displayed then your kernel will support this option. If
this option is not specified or if it is given the empty value
(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
assumed.</para>
</listitem>
</varlistentry>
@ -1481,8 +1379,9 @@ LOG:info:,bar net fw</programlisting>
<para>Added in Shorewall 4.4.26. Number of bits on the right of the
32-bit packet mark to be masked when clearing the traffic shaping
mark. Must be &gt;= TC_BITS and &lt;= PROVIDER_OFFSET (if
PROVIDER_OFFSET &gt; 0). Default value and the default values of the
other mark layout options is determined as follows:</para>
PROVIDER_OFFSET &gt; 0). Prior to Shorewall 5.0.0, default value and
the default values of the other mark layout options is determined as
follows:</para>
<table frame="none">
<title>Default Packet Mark Layout</title>
@ -1519,6 +1418,10 @@ LOG:info:,bar net fw</programlisting>
</tbody>
</tgroup>
</table>
<para>From 5.0.0 onward, the default value of MASK_BITS is 8, the
default value of PROVIDER_BITS, TC_BITS, MASK_BITS and
PROVIDER_OFFSET is 8.</para>
</listitem>
</varlistentry>