Correct handling of dbl=src_dst in interface OPTIONS

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Check for linkdown in interface_is_usable() rather than ..._is_up().
2018-05-18 10:18:09 -07:00 · 2018-05-18 07:56:06 -07:00 · 2018-05-12 08:09:46 -07:00 · 2018-05-10 11:12:23 -07:00 · 2018-05-10 09:30:02 -07:00 · 2018-05-06 13:31:54 -07:00
23 changed files with 113 additions and 43 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1201,11 +1201,17 @@ show_saves_command() {
    echo

    for f in ${VARDIR}/*-iptables; do
+	case $f in
+	    *\**)
+	        ;;
+	    *)
 		fn=$(basename $f)
 		fn=${fn%-iptables}
 		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
 		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
 		echo "   $mtime ${fn%-iptables}"
+		;;
+	esac
    done

    echo
@@ -3815,7 +3821,7 @@ iprange_command() {
 }

 ipdecimal_command() {
-    if [ $# eq 1 ]; then
+    if [ $# -eq 1 ]; then
 	missing_argument
    else
 	[ $# -eq 2 ] || too_many_arguments $3
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.0 rc file
+# Apple OS X Shorewall 5.2 rc file
 #
 BUILD=apple
 HOST=apple
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.0 rc file
+# Arch Linux Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.0 rc file
+# Cygwin Shorewall 5.2 rc file
 #
 BUILD=cygwin
 HOST=cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.0 rc file
+# Debian Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.0 rc file
+# Default Shorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux
--- a/Shorewall-core/shorewallrc.openwrt
+++ b/Shorewall-core/shorewallrc.openwrt
@@ -1,5 +1,5 @@
 #
-# OpenWRT Shorewall 5.0 rc file
+# OpenWRT/LEDE Shorewall 5.2 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.0 rc file
+# RedHat/FedoraShorewall 5.2 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.0 rc file
+# Slackware Shorewall 5.2 rc file
 #
 BUILD=slackware
 HOST=slackware
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.0 rc file
+# SuSE Shorewall 5.2 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
    #
    # if the event is armed, remove it and perform the action
    #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
 } elsif ( $command & $UPDATE_CMD ) {
    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {
--- a/Shorewall/Macros/macro.IPFS-API
+++ b/Shorewall/Macros/macro.IPFS-API
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-API
+#
+# This macro handles IPFS API port (commands for the IPFS daemon).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     5001
--- a/Shorewall/Macros/macro.IPFS-gateway
+++ b/Shorewall/Macros/macro.IPFS-gateway
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
+#
+# This macro handles the IPFS gateway to HTTP.
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     8080
--- a/Shorewall/Macros/macro.IPFS-swarm
+++ b/Shorewall/Macros/macro.IPFS-swarm
@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
+#
+# This macro handles IPFS data traffic (the connection to IPFS swarm).
+#
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
+
+PARAM   -       -       tcp     4001
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -2529,6 +2529,10 @@ sub split_rawline2( $$;$$$ ) {
    # Delete trailing comment
    #
    $currentline =~ s/\s*#.*//;
+    #
+    # Convert ${...} to $...
+    #
+    $currentline =~ s/\$\{(.*?)\}/\$$1/g;

    my @result = &split_line2( @_ );

@@ -5459,7 +5463,7 @@ sub update_config_file( $ ) {
 	update_default( 'BLACKLIST_DEFAULT', 'AllowICMPs,dropBcasts,dropNotSyn,dropInvalid' );
    }

-    for ( qw/DROP_DEFAULT REJECT_DEFAULT/ ) {
+    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };

 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
@@ -6599,7 +6603,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
    default_yes_no 'USE_NFLOG_SIZE'             , '';

-    if ( ( $val = $config{AUTOMAKE} ) !~ /^[Rr]ecursive$/ ) {
+    if ( ( $val = ( $config{AUTOMAKE} || '' ) ) !~ /^[Rr]ecursive$/ ) {
 	default_yes_no( 'AUTOMAKE' , '' ) unless $val && $val =~ /^\d{1,2}$/;
    }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -810,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );

 		log_rule_limit( $dbl_level,
 				$chainref,
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -675,7 +675,7 @@ interface_is_usable() # $1 = interface
    status=0

    if ! loopback_interface $1; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1101,7 +1101,7 @@ interface_is_usable() # $1 = interface
    status=0

    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -412,10 +412,14 @@ uptodate() {
 	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
 		return 1;
 	    fi
-	elif [ $AUTOMAKE = recursive ]; then
+	elif [ "$AUTOMAKE" = recursive ]; then
 	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
 		return 1;
 	    fi
+	elif [ -z "$AUTOMAKE" ]; then
+	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
+		return 1;
+	    fi
 	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
 	    return 1;
 	fi
@@ -1063,6 +1067,41 @@ restart_command() {
    return $rc
 }

+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Safe-start/safe-reload/safe-restart Command Executor
 #
@@ -1441,13 +1480,11 @@ remote_capture() # $* = original arguments less the command.
 	    ;;
    esac

-    [ -f $g_shorewalldir/${PRODUCT}.conf ] || fatal_error "Missing file: $g_shorewalldir/${PRODUCT}.conf."
-
    g_export=Yes

    ensure_config_path

-    get_config No
+    get_config Yes

    g_haveconfig=Yes

@@ -1468,7 +1505,7 @@ remote_capture() # $* = original arguments less the command.
    [ -n "$getcaps" ] && getrc=Yes

    if [ -n "$getrc" -o ! -s $g_shorewalldir/shorewallrc ]; then
-        progress_message2 "Getting RC file on system $system..."
+        progress_message2 "Getting shorewallrc file on system $system..."

        if [ -n "$remote_sw_dir_path" ]; then
            if ! rsh_command "/sbin/shorewall-lite show rc $remote_sw_dir_path" > $g_shorewalldir/shorewallrc; then
@@ -1619,14 +1656,9 @@ remote_commands() # $* = original arguments less the command.

    g_export=Yes

-    if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then
-	if [ -f $g_shorewalldir/params ]; then
-	    . $g_shorewalldir/params
-	fi
-
    ensure_config_path

-	get_config No
+    get_config Yes

    g_haveconfig=Yes

@@ -1634,9 +1666,6 @@ remote_commands() # $* = original arguments less the command.
        system=$FIREWALL
        [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set"
    fi
-    else
-	fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist"
-    fi

    if [ -z "$getcaps" ]; then
 	capabilities=$(find_file capabilities)
@@ -1646,7 +1675,7 @@ remote_commands() # $* = original arguments less the command.
    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"

-	progress_message "Getting Capabilities on system $system..."
+	progress_message2 "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
 	    if ! rsh_command "MODULESDIR=$MODULESDIR IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
@@ -1662,6 +1691,7 @@ remote_commands() # $* = original arguments less the command.
    #
    # Handle nonstandard remote VARDIR
    #
+    progress_message2 "Getting VARDIR on system $system..."
    temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
 
    [ -n "$temp" ] && litedir="$temp"
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -42,7 +42,8 @@

  <note>
    <para>The techniques described in this article were superseded in
-    Shorewall 4.5.19 with the introduction of Shorewall Events.</para>
+    Shorewall 4.5.19 with the introduction of <ulink
+    url="Events.html">Shorewall Events</ulink>.</para>
  </note>

  <note>
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -24,6 +24,8 @@

      <year>2017</year>

+      <year>2018</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

--- a/docs/images/Netfilter.dia
+++ b/docs/images/Netfilter.dia
--- a/docs/images/Netfilter.png
+++ b/docs/images/Netfilter.png
Author	SHA1	Message	Date
Tom Eastep	ec21b03c5b	Correct handling of dbl=src_dst in interface OPTIONS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-18 10:18:09 -07:00
Tom Eastep	25dcf8c5d6	Check for linkdown in interface_is_usable() rather than ..._is_up(). Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-18 07:56:06 -07:00
Tom Eastep	c02b71b530	Correct interface_is_up() to look for the 'state' as well as 'UP' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-12 08:09:46 -07:00
Tom Eastep	78269d57bc	Handle missing AUTOMAKE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-10 11:12:23 -07:00
Tom Eastep	fc91648315	Avoid split_line2 confusion when processing a raw line Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-10 09:30:02 -07:00
Tom Eastep	067f435ac5	Update BLACKLIST_DEFAULT if Drop or Reject Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-06 13:31:54 -07:00
Tom Eastep	2039f38faf	Fix 'show saves' when there are no saves Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-05 13:27:37 -07:00
Tom Eastep	07654d8f8d	Fix 'compile -c' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-05 13:26:58 -07:00
Tom Eastep	b5e8f9bd50	Restore the read_yesno_with_timeout() function Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-04 08:52:40 -07:00
Tom Eastep	9c950082f6	Add new IPFS macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-05-04 08:45:39 -07:00
Matt Darfeuille	fc44eb7516	Update version to 5.2 in RC files - Mention LEDE distro in OpenWRT RC file Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-27 14:08:36 -07:00
Matt Darfeuille	bb89d509ea	Ipdecimal: Correct error when missing arguments Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-27 14:08:00 -07:00
Tom Eastep	6822803802	Correct Netfilter Diagram Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-18 15:53:01 -07:00
Tom Eastep	66edd76b10	Correct typo in patch merged from 5.1.12 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-15 08:46:05 -07:00
Matt Darfeuille	99be0ce970	Use a function to load configuration files Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-14 13:06:54 -07:00
Tom Eastep	98d5bf8f55	Correct 'reset' handling in 'IfEvent' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-13 09:22:29 -07:00
Tom Eastep	370901e873	Add link to Events.html from PortKnocking.html Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-13 08:50:19 -07:00
Tom Eastep	c59ff50de4	Process params file in remote_capture() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-13 08:49:35 -07:00
Matt Darfeuille	3df5c032da	Be more verbose when executing remote commands - Reword progress messages Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-12 11:12:39 -07:00
Tom Eastep	b997bfcd97	Update copyright of Shorewall 5 Document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2018-04-10 10:44:38 -07:00