From f4776bf388e0edb3fe46dc668c59d66e86d0f798 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 21 Aug 2015 12:42:19 -0700 Subject: [PATCH] Eliminate WIDE_TC_MARKS, HIGH_ROUTE_MARKS and BLACKLISTNEWONLY Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 63 +++++++--- Shorewall/manpages/shorewall.conf.xml | 147 +++--------------------- Shorewall6/manpages/shorewall6.conf.xml | 129 +++------------------ 3 files changed, 78 insertions(+), 261 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4deb166da..073375074 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -599,16 +599,12 @@ our %validlevels; # Valid log levels. # # Deprecated options with their default values # -our %deprecated = ( WIDE_TC_MARKS => 'no', - HIGH_ROUTE_MARKS => 'no', - BLACKLISTNEWONLY => 'yes', +our %deprecated = ( ); # # Deprecated options that are eliminated via update # -our %converted = ( WIDE_TC_MARKS => 1, - HIGH_ROUTE_MARKS => 1, - BLACKLISTNEWONLY => 1, +our %converted = ( ); # # Eliminated options @@ -618,6 +614,9 @@ our %eliminated = ( LOGRATE => 1, EXPORTPARAMS => 1, LEGACY_FASTSTART => 1, IPSECFILE => 1, + WIDE_TC_MARKS => 1, + HIGH_ROUTE_MARKS => 1, + BLACKLISTNEWONLY => 1, ); # # Variables involved in ?IF, ?ELSE ?ENDIF processing @@ -727,6 +726,8 @@ sub initialize( $;$$) { LOGFORMAT => undef, LOGTAGONLY => undef, LOGLIMIT => undef, + LOGRATE => undef, + LOGBURST => undef, LOGALLNEW => undef, BLACKLIST_LOG_LEVEL => undef, RELATED_LOG_LEVEL => undef, @@ -4905,15 +4906,20 @@ sub process_shorewall_conf( $$$ ) { if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) { my ($var, $val) = ($1, $2); - unless ( exists $config{$var} ) { - if ( exists $renamed{$var} ) { - $var = $renamed{$var}; - } elsif ( $eliminated{$var} ) { + if ( exists $config{$var} ) { + if ( $eliminated{$var} && ! $update ) { + fatal_error "The $var configuration option has been superceded - please run '$product update'"; + } + } elsif ( exists $renamed{$var} ) { + $var = $renamed{$var}; + } else { + if ( $eliminated{$var} ) { warning_message "The $var configuration option is no longer supported"; } else { warning_message "Unknown configuration option ($var) ignored"; - next ; } + + next; } $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ); @@ -5494,6 +5500,18 @@ sub get_configuration( $$$$$ ) { } $globals{LOGLIMIT} = $limit; + } elsif ( $update && ( $config{LOGRATE} || $config{LOGBURST} ) ) { + if ( supplied $config{LOGRATE} ) { + fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/; + } + + if ( supplied $config{LOGBURST} ) { + fatal_error"Invalid LOGBURST ($config{LOGBURST})" unless $config{LOGBURST} =~ /^\d+$/; + } + + $globals{LOGLIMIT} = '-m limit '; + $globals{LOGLIMIT} .= "--limit $config{LOGRATE} " if supplied $config{LOGRATE}; + $globals{LOGLIMIT} .= "--limit-burst $config{LOGBURST} " if supplied $config{LOGBURST}; } else { $globals{LOGLIMIT} = ''; } @@ -5680,8 +5698,11 @@ sub get_configuration( $$$$$ ) { default_yes_no 'USE_DEFAULT_RT' , ''; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; default_yes_no 'AUTOMAKE' , ''; - default_yes_no 'WIDE_TC_MARKS' , ''; - default_yes_no 'TRACK_PROVIDERS' , ''; + + if ($update) { + default_yes_no 'WIDE_TC_MARKS' , ''; + default_yes_no 'TRACK_PROVIDERS' , ''; + } unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) { default_yes_no( 'NULL_ROUTE_RFC1918', '' ); @@ -5715,10 +5736,18 @@ sub get_configuration( $$$$$ ) { require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; - numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0; - numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS}; - numeric_option 'PROVIDER_BITS' , 8, 0; - numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0; + if ( $update ) { + numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0; + numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS}; + numeric_option 'PROVIDER_BITS' , 8, 0; + numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0; + } else { + numeric_option 'TC_BITS' , 8, 0; + numeric_option 'MASK_BITS' , 8, 0; + numeric_option 'PROVIDER_OFFSET' , 8, 0; + } + + numeric_option 'PROVIDER_BITS' , 8, 0; numeric_option 'ZONE_BITS' , 0, 0; require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's' if $config{ZONE_BITS}; diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 75a01b69a..6e084c21e 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -473,10 +473,10 @@ UNTRACKED. Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY - option below. Specifies the connection tracking states that are to - be subject to blacklist screening. If neither BLACKLIST nor - BLACKLISTNEWONLY are specified then the states subject to - blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED. + option. Specifies the connection tracking states that are to be + subject to blacklist screening. If BLACKLIST is not specified then + the states subject to blacklisting are + NEW,ESTABLISHED,INVALID,UNTRACKED. ALL sends all packets through the blacklist chains. @@ -529,37 +529,6 @@ - - BLACKLISTNEWONLY={Yes|No} - - - Deprecated in Shorewall 4.5.13 in favor of BLACKLIST - above. - - When set to Yes or yes, blacklists are only consulted for new - connections and for packets in the INVALID connection state (such as - TCP SYN,ACK when there has been no corresponding SYN). That includes - entries in the shorewall-blrules (5) - file and in the BLACKLIST section of shorewall-rules - (5). - - When set to No or no, blacklists are consulted for every packet - (will slow down your firewall noticeably if you have large - blacklists). If the BLACKLISTNEWONLY option is not set or is set to - the empty value then BLACKLISTNEWONLY=No is assumed. - - - BLACKLISTNEWONLY=No is incompatible with - FASTACCEPT=Yes. - - - - CHAIN_SCRIPTS={Yes|No} @@ -844,11 +813,6 @@ net all DROP infothen the chain name is 'net-all' set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of shorewall-rules(5). - - - FASTACCEPT=Yes is incompatible with - BLACKLISTNEWONLY=No. - @@ -952,74 +916,6 @@ net all DROP infothen the chain name is 'net-all' - - HIGH_ROUTE_MARKS={Yes|No} - - - Deprecated in Shorewall 4.4.26 in favor of - PROVIDER_OFFSET. - - Prior to version 3.2.0, it was not possible to use connection - marking in shorewall-tcrules(5) - if you had a multi-ISP configuration that uses the track - option. - - You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the - packet mark and connection mark into two mark fields. - - The width of the fields are determined by the setting of - WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default): - - - - The MARK field in the providers file must have a value - that is less than 65536 and that is a multiple of 256 (using hex - representation, the values are 0x0100-0xFF00 with the low-order - 8 bits being zero). - - - - You may only set those mark values in the PREROUTING - chain. - - - - Marks used for traffic shaping must still be in the range - of 1-255 and may still not be set in the PREROUTING - chain. - - - - When WIDE_TC_MARKS=Yes: - - - - The MARK field in the providers file must have a value - that is a multiple of 65536 (using hex representation, the - values are 0x010000-0xFF0000 with the low-order 16 bits being - zero). - - - - You may only set those mark values in the PREROUTING - chain. - - - - Marks used for traffic shaping must be in the range of - 1-16383 and may still not be set in the PREROUTING chain. - - - - Regardless of the setting of WIDE_TC_MARKS, when you SAVE or - RESTORE in tcrules, only the TC mark value is saved or restored. - Shorewall handles saving and restoring the routing (provider) - marks. - - - IGNOREUNKNOWNVARIABLES=[ PREROUTING chain. This permits you to mark inbound traffic based on its destination address when DNAT is in use. To determine if your kernel has a FORWARD chain in the mangle table, use the /sbin/shorewall show mangle command; if a - FORWARD chain is displayed then your kernel will support this - option. If this option is not specified or if it is given the empty - value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No - is assumed. + role="bold">shorewall show mangle command; if a FORWARD + chain is displayed then your kernel will support this option. If + this option is not specified or if it is given the empty value + (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is + assumed. @@ -1668,8 +1564,9 @@ LOG:info:,bar net fw Added in Shorewall 4.4.26. Number of bits on the right of the 32-bit packet mark to be masked when clearing the traffic shaping mark. Must be >= TC_BITS and <= PROVIDER_OFFSET (if - PROVIDER_OFFSET > 0). Default value and the default values of the - other mark layout options is determined as follows: + PROVIDER_OFFSET > 0). Prior to Shorewall 5.0.0, default value and + the default values of the other mark layout options is determined as + follows: Default Packet Mark Layout @@ -1706,6 +1603,10 @@ LOG:info:,bar net fw
+ + From 5.0.0 onward, the default value of MASK_BITS is 8, the + default value of PROVIDER_BITS, TC_BITS, MASK_BITS and + PROVIDER_OFFSET is 8. @@ -2900,22 +2801,6 @@ INLINE - - - ; -j REJECT - - WIDE_TC_MARKS=[Yes|No] - - - Deprecated in Shorewall 4.4.26 in favor of TC_BITS and - MASK_BITS. - - When set to No (the default), traffic shaping marks are 8 - bytes wide (possible values are 1-255). When WIDE_TC_MARKS=Yes, - traffic shaping marks are 14 bytes wide (values 1-16383). The - setting of WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS - option (see above). - - - WORKAROUNDS=[Yes|No] diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index ac6412ba2..693cd7901 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -404,10 +404,10 @@ UNTRACKED. Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY - option below. Specifies the connection tracking states that are to - be subject to blacklist screening. If neither BLACKLIST nor - BLACKLISTNEWONLY are specified then the states subject to - blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED. + option. Specifies the connection tracking states that are to be + subject to blacklist screening. If BLACKLIST is not specified then + the states subject to blacklisting are + NEW,ESTABLISHED,INVALID,UNTRACKED. Note: The ESTABLISHED state may not be specified if FASTACCEPT is specified. @@ -449,39 +449,6 @@ - - BLACKLISTNEWONLY={Yes|No} - - - Deprecated in Shorewall 4.5.13 in favor of BLACKLIST - above. - - When set to Yes or yes, blacklists are only consulted for new - connections, for packets in the INVALID connection state (such as a - TCP SYN,ACK when there has been no corresponding SYN), and for - packets that are UNTRACKED due to entries in shorewall6-conntrack(5). - This includes entries in the shorewall6-blrules - (5) file and in the BLACKLIST section of shorewall6-rules - (5). - - When set to No or no, blacklists are consulted for every packet - (will slow down your firewall noticeably if you have large - blacklists). If the BLACKLISTNEWONLY option is not set or is set to - the empty value then BLACKLISTNEWONLY=No is assumed. - - - BLACKLISTNEWONLY=No is incompatible with - FASTACCEPT=Yes. - - - - CHAIN_SCRIPTS={Yes|No} @@ -725,11 +692,6 @@ net all DROP infothen the chain name is 'net-all' set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED or RELATED sections of shorewall6-rules(5). - - - FASTACCEPT=Yes is incompatible with - BLACKLISTNEWONLY=No. - @@ -833,70 +795,6 @@ net all DROP infothen the chain name is 'net-all' - - HIGH_ROUTE_MARKS={Yes|No} - - - Deprecated in Shorewall 4.4.26 in favor of - PROVIDER_OFFSET. - - You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the - packet mark and connection mark into two mark fields. - - The width of the fields are determined by the setting of the - WIDE_TC_MARKS option. - - When WIDE_TC_MARKS=No (the default): - - - - The MARK field in the providers file must have a value - that is less than 65536 and that is a multiple of 256 (using hex - representation, the values are 0x0100-0xFF00 with the low-order - 8 bits being zero). - - - - You may only set those mark values in the PREROUTING - chain. - - - - Marks used for traffic shaping must still be in the range - of 1-255 and may still not be set in the PREROUTING - chain. - - - - When WIDE_TC_MARKS=Yes: - - - - The MARK field in the providers file must have a value - that is a multiple of 65536 (using hex representation, the - values are 0x010000-0xFF0000 with the low-order 16 bits being - zero). - - - - You may only set those mark values in the PREROUTING - chain. - - - - Marks used for traffic shaping must be in the range of - 1-16383 and may still not be set in the PREROUTING chain. - - - - Regardless of the setting of WIDE_TC_MARKS, when you SAVE or - RESTORE in tcrules, only the TC mark value is saved or restored. - Shorewall handles saving and restoring the routing (provider) - marks. - - - IMPLICIT_CONTINUE={Yes|No} @@ -1465,11 +1363,11 @@ LOG:info:,bar net fw PREROUTING chain. This permits you to mark inbound traffic based on its destination address when DNAT is in use. To determine if your kernel has a FORWARD chain in the mangle table, use the /sbin/shorewall6 show mangle command; if a - FORWARD chain is displayed then your kernel will support this - option. If this option is not specified or if it is given the empty - value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No - is assumed. + role="bold">/shorewall6 show mangle command; if a FORWARD + chain is displayed then your kernel will support this option. If + this option is not specified or if it is given the empty value + (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is + assumed. @@ -1481,8 +1379,9 @@ LOG:info:,bar net fw Added in Shorewall 4.4.26. Number of bits on the right of the 32-bit packet mark to be masked when clearing the traffic shaping mark. Must be >= TC_BITS and <= PROVIDER_OFFSET (if - PROVIDER_OFFSET > 0). Default value and the default values of the - other mark layout options is determined as follows: + PROVIDER_OFFSET > 0). Prior to Shorewall 5.0.0, default value and + the default values of the other mark layout options is determined as + follows: Default Packet Mark Layout @@ -1519,6 +1418,10 @@ LOG:info:,bar net fw
+ + From 5.0.0 onward, the default value of MASK_BITS is 8, the + default value of PROVIDER_BITS, TC_BITS, MASK_BITS and + PROVIDER_OFFSET is 8.