Make 'show filters' work with Simple TC

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)
 
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)

Shorewall-core/configure.pl

@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
 
 	$id =~ s/ID=//;
 	
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';

Shorewall-core/install.sh

@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall-core/lib.cli

@@ -252,7 +252,15 @@ show_classifiers() {
 
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }

Shorewall-init/install.sh

@@ -191,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)

Shorewall-lite/install.sh

@@ -206,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/Perl/Shorewall/Compiler.pm

@@ -730,7 +730,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules );
     #
     # More /proc
     #
@@ -819,7 +819,7 @@ sub compiler {
     #
     # Setup Nat
     #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
     #
     # Setup NETMAP
     #

Shorewall/Perl/Shorewall/Misc.pm

@@ -775,8 +775,8 @@ sub process_stoppedrules() {
 
 sub setup_mss();
 
-sub add_common_rules ( $ ) {
+sub add_common_rules ( $$ ) {
-    my $upgrade = shift;
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
     my $interface;
     my $chainref;
     my $target;
@@ -929,8 +929,8 @@ sub add_common_rules ( $ ) {
 	    
     run_user_exit1 'initdone';
 
-    if ( $upgrade ) {
+    if ( $upgrade_blacklist ) {
-	exit 0 unless convert_blacklist;
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
     } else {
 	setup_blacklist;
     }

Shorewall/configfiles/blrules

@@ -6,7 +6,7 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###################################################################################################################################################################################################
+################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
 

Shorewall/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/clear
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/findgw

@@ -3,12 +3,12 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
+# The code in this file is executed when Shorewall is trying to detect the
-#    gateway through an interface in /etc/shorewall/providers that has GATEWAY
+# gateway through an interface in /etc/shorewall/providers that has GATEWAY
-#    specified as 'detect'.
+# specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
+# The function should echo the IP address of the gateway if it knows what
-#    it is; the name of the interface is in $1.
+# it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/mangle

@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
-

Shorewall/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refresh
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall
-#       has processed the 'refresh' command.
+# has processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall
+# Add commands below that you want to be executed after Shorewall has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/shorewall.conf

@@ -12,13 +12,13 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 
 BLACKLIST_LOG_LEVEL=
@@ -100,7 +100,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -271,8 +271,8 @@ MASK_BITS=
 ZONE_BITS=0
 
 ################################################################################
-#                            L E G A C Y  O P T I O N
+#			     L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
+#		       D O  N O T  D E L E T E	O R  A L T E R
 ################################################################################
 
 IPSECFILE=zones

Shorewall/configfiles/tcclasses

@@ -7,4 +7,4 @@
 #
 ###############################################################################
 #INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#                               DMAX:UMAX
+#				DMAX:UMAX

Shorewall/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall
+# Add commands below that you want to be executed before Shorewall clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/install.sh

@@ -216,7 +216,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/manpages/shorewall-masq.xml

@@ -143,7 +143,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term>(Formerly called SUBNET) -
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
+        -
         {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 

Shorewall/manpages/shorewall-nat.xml

@@ -136,6 +136,80 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>RESTRICTIONS</title>
+
+    <para>DNAT rules always preempt one-to-one NAT rules. This has subtile
+    consequences when there are sub-zones on an
+    <replaceable>interface</replaceable>. Consider the following:</para>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+smc:net ipv4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians</programlisting>
+
+    <para><filename>/etc/shorewall/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+smc     eth0:10.1.10.0/24</programlisting>
+
+    <para><filename>/etc/shorewall/nat</filename>:</para>
+
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
+#                                               INTERFACES
+10.1.10.100     eth0            172.20.1.100
+</programlisting>
+
+    <para>Note that the EXTERNAL address is in the <emphasis
+    role="bold">smc</emphasis> zone.</para>
+
+    <para><filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+...
+DNAT            net             loc:172.20.1.4  tcp     80</programlisting>
+
+    <para>For the one-to-one NAT to work correctly in this configuration, one
+    of two approaches can be taken:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Define a CONTINUE policy with <emphasis
+        role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
+
+        <programlisting>#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+<emphasis role="bold">smc		$FW		CONTINUE</emphasis>
+loc		net		ACCEPT
+net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info
+</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall6/configfiles/actions

@@ -7,7 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
 ########################################################################################
 #ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
 #                               v        a comment describing the action)

Shorewall6/configfiles/blrules

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###########################################################################################################################################################################
+########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS	SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall6/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/clear
 #
-#	Add commands below that you want to be executed after Shorewall6
+# Add commands below that you want to be executed after Shorewall6 has
-#       has processed the 'clear' command.
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall6/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
+# Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
+# run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/mangle

@@ -1,7 +1,7 @@
 #
 # Shorewall6 version 4 - Mangle File
 #
-# For information about entries in this file, type "man shorewall6-mangle
+# For information about entries in this file, type "man shorewall6-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-###########################################################################################################################################################
+############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)

Shorewall6/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refresh
 #
-#	Add commands below that you want to be executed before Shorewall6
+# Add commands below that you want to be executed before Shorewall6 has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall6
+# Add commands below that you want to be executed after Shorewall6 has
-#       has processed the 'refresh' command.
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
+# Replace the 'cat' command below to filter the output of
-#       'show connections.
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/shorewall6.conf

@@ -13,7 +13,7 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
@@ -97,7 +97,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

Shorewall6/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall6
+# Add commands below that you want to be executed before Shorewall6 clears
-#       clears the traffic shaping configuration.
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall6/manpages/shorewall6-masq.xml

@@ -530,7 +530,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 8:</term>
+        <term>Example 2:</term>
 
         <listitem>
           <para>Your sit1 interface has two public IP addresses:

docs/FAQ.xml

@@ -746,6 +746,12 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
           DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
           time that you get a new IP address.</para>
 
+          <note>
+            <para>If your local interface is a bridge, see <link
+            linkend="faq2e">FAQ 2e</link> for additional configuration
+            steps.</para>
+          </note>
+
           <note>
             <para>For optional interfaces, use the function <emphasis
             role="bold">find_first_interface_address_if_any()</emphasis>
@@ -915,6 +921,59 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         INTERFACES column of each entry in <ulink
         url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
       </section>
+
+      <section id="faq2e">
+        <title>(FAQ 2e) I have the situation in FAQ 2 but my local interface
+        is a bridge and the solution in FAQ 2 doesn't work</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: Assume that the bridge
+        is br0 and that eth2 is the bridge port that connects to the LAN
+        containing 192.168.1.5</para>
+
+        <para>In addition to the steps in FAQ 2 (replacing eth1 with br0), you
+        also need to:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Set the <firstterm>hairpin</firstterm> option on
+            eth2.</para>
+
+            <programlisting>brctl hairpin br0 eth2 on</programlisting>
+
+            <para>On Debian and derivitives, you can place that command in
+            /etc/network/interfaces as a post-up command:</para>
+
+            <programlisting>auto br0
+iface br0 inet static
+        bridge_ports    eth2
+        bridge_fd       0
+        bridge_maxwait  0
+        address         192.168.1.1
+        netmask         255.255.255.0
+        <emphasis role="bold">post-up /sbin/brctl hairpin br0 eth2 on</emphasis></programlisting>
+          </listitem>
+
+          <listitem>
+            <para>Install ebtables if it is not already installed.</para>
+          </listitem>
+
+          <listitem>
+            <para>Be sure that all traffic going out of eth2 has the correct
+            MAC address.</para>
+
+            <programlisting>ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source <emphasis>br0-MAC-address</emphasis> </programlisting>
+
+            <para>where br0-MAC-address is the MAC address of br0.</para>
+
+            <para>Here's a working example of /etc/shorewall/start that
+            executes the above command.</para>
+
+            <programlisting>if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then
+   <emphasis role="bold">ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source 0:19:21:d0:61:65</emphasis>
+fi</programlisting>
+          </listitem>
+        </orderedlist>
+      </section>
     </section>
   </section>
 
@@ -940,6 +999,12 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
         to implement blacklisting by destination IP address.</para>
       </note>
+
+      <note>
+        <para>Beginning with Shorewall 4.4.26, you can use <ulink
+        url="manpages/shorewall-blrules.html">/etc/shorewall/blrules</ulink>
+        to implement arbitrary blacklist rules.</para>
+      </note>
     </section>
 
     <section id="faq84">

docs/support.xml

@@ -42,7 +42,7 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink> is 4.5.</para>
+        url="ReleaseModel.html">major release</ulink>s are 4.5 and 4.6.</para>
 
         <note>
           <para>Shorewall versions earlier than 4.5.0 are no longer supported;
@@ -60,7 +60,7 @@
 
       <listitem>
         <para>The <ulink url="FAQ.htm">FAQ</ulink> has solutions to more than
-        90 common problems.</para>
+        100 common problems.</para>
       </listitem>
 
       <listitem>