Compare commits

...

75 Commits

Author SHA1 Message Date
Tom Eastep
d107e15623 Don't apply HTB quantum to HFSC 2011-05-17 18:38:13 -07:00
Tom Eastep
d8ebdc015d Fix typo in known problems 2011-05-17 11:24:42 -07:00
Tom Eastep
da261ad315 Update release documents for 4.4.19.4 2011-05-17 10:54:30 -07:00
Tom Eastep
facfd53bc3 Correct deletion of ipv6 'shorewall' chain 2011-05-17 10:50:08 -07:00
Tom Eastep
6c0bc5aae5 Add a warning message when an entire table is reloaded 2011-05-16 16:29:38 -07:00
Tom Eastep
6d29a974dd Updated release documentation
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-16 14:27:07 -07:00
Tom Eastep
511aa7bdc0 Fix typos
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-16 13:58:11 -07:00
Tom Eastep
bf9309e441 Don't generate refresh rules unless the command is 'refresh'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-16 13:09:27 -07:00
Tom Eastep
68136ea53a Avoid inconsistencies and errors in refresh -- Take 2
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-16 12:24:55 -07:00
Tom Eastep
d79a9a4afa Avoid inconsistencies and errors in refresh
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-16 10:47:31 -07:00
Tom Eastep
361c11d6e0 Document missing ipset WARNING
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-15 12:04:34 -07:00
Tom Eastep
f741b8a225 Issue warning on missing IPSET 2011-05-15 11:52:26 -07:00
Tom Eastep
5580fd559a Mention exclusion in the blacklist manpages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-15 10:43:42 -07:00
Tom Eastep
b776668fe9 Don't emit degenerate tcfilters 2011-05-15 09:15:52 -07:00
Tom Eastep
6f0591f68c Document fixes for non-leaf TC classes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-13 07:15:43 -07:00
Tom Eastep
6233296917 Don't allow non-leaf default class
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-13 07:15:18 -07:00
Tom Eastep
928c472175 Issue warnings and ignore non-leaf class in tcfilters and tcrules
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-13 07:14:58 -07:00
Tom Eastep
ceecf29535 More LIBEXEC/PERLLIB fixes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-12 07:45:54 -07:00
Tom Eastep
585e5326df Apply IPv6 Sample patch from Togan Muftuoglu 2011-05-12 06:17:16 -07:00
Tom Eastep
a6aa41f7ca Restore $command 2011-05-11 16:41:01 -07:00
Tom Eastep
13cac52d89 Fix PERLLIB on Shorewall6 2011-05-11 16:24:50 -07:00
Tom Eastep
2e859b69ae Fix PERLLIB 2011-05-11 13:43:59 -07:00
Tom Eastep
30e4668c10 Make PERLLIB work correctly 2011-05-11 12:36:22 -07:00
Tom Eastep
4074ae9a34 Correct Shorewall-init VERSION 2011-05-11 10:14:41 -07:00
Tom Eastep
00c9f17280 Correct Config.pm VERSION 2011-05-11 10:13:05 -07:00
Tom Eastep
8bfb1cccab Start 4.4.19.4 2011-05-11 09:50:45 -07:00
Tom Eastep
2cadee412a Disallow degenerate tcpri entry
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-10 17:51:48 -07:00
Tom Eastep
1860f1cff7 Mark 4.4.19.3 corrections in known problem list 2011-05-10 08:31:18 -07:00
Tom Eastep
27ea4ea0c5 Add 4.4.19.2 corrections to the known problems 2011-05-10 08:30:06 -07:00
Tom Eastep
a16dfcbc7b More documentation updates 2011-05-10 07:42:12 -07:00
Tom Eastep
c630a263db Tweak 4.4.19.3 release notes 2011-05-10 07:22:30 -07:00
Tom Eastep
4c459bd8cb Update release notes 2011-05-08 17:12:55 -07:00
Tom Eastep
0f091abddc Update release notes 2011-05-08 16:30:37 -07:00
Tom Eastep
4736956f13 Correct earlier patch 2011-05-08 15:46:49 -07:00
Tom Eastep
9a0894f44a Revert "Automatically specify the output interface on CLASSIFY tcrule"
This reverts commit a41ae6af76.
2011-05-08 15:39:18 -07:00
Tom Eastep
a41ae6af76 Automatically specify the output interface on CLASSIFY tcrule 2011-05-08 14:22:50 -07:00
Tom Eastep
a7edb358ed Document 4.4.19.3 fixes 2011-05-08 06:28:48 -07:00
Tom Eastep
631a2a7092 Merge branch '4.4.19' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.19 2011-05-08 05:59:13 -07:00
Tom Eastep
1685fc116e Ensure USER/GROUP is only specified when SOURCE in $FW 2011-05-08 05:58:37 -07:00
Tom Eastep
15b1371ade Fix typo in starting/stopping doc 2011-05-08 05:37:49 -07:00
Tom Eastep
0bfb7ecc6d Ensure route to gateway in the main table 2011-05-08 05:35:03 -07:00
Tom Eastep
fb442cebbe Document fix for 'gawk' 2011-05-07 09:29:43 -07:00
Tom Eastep
6bb0881d7c Fix issues with 'gawk' 2011-05-07 09:21:37 -07:00
Tom Eastep
873f8c38aa Simplify the fix for double exclusion in ipset lists 2011-05-06 14:28:22 -07:00
Tom Eastep
277493058d Refinement to fix for double exclusion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-06 07:29:00 -07:00
Tom Eastep
d02269e53c Correct double-exclusion fix 2011-05-05 16:18:04 -07:00
Tom Eastep
d79f1766b5 Let tcfilters deal correctly with hex device numbers 2011-05-04 17:14:34 -07:00
Tom Eastep
97d795b3b1 Complain if there is no default class defined 2011-05-04 16:20:54 -07:00
Tom Eastep
38f00543f8 Mark many tcrules columns as optional 2011-05-04 16:20:26 -07:00
Tom Eastep
51e89a41ef Enforce limits on device and class numbers 2011-05-04 08:03:22 -07:00
Tom Eastep
6603978ba4 Document double exclusion fix 2011-05-03 13:54:54 -07:00
Tom Eastep
e7831d5a15 Detect double exclusion in ipset expressions 2011-05-03 13:24:41 -07:00
Tom Eastep
953c7db1c4 Correct Comment 2011-05-03 07:43:42 -07:00
Tom Eastep
e1b3a79aa9 Back out part of TC change 2011-05-02 17:22:06 -07:00
Tom Eastep
059e522ded Back out 0x documentation part of change 2011-05-02 16:37:59 -07:00
Tom Eastep
1ffc4ece34 Don't require '0x' on devnum > 10 in tcclasses 2011-05-02 16:29:12 -07:00
Tom Eastep
e69ca0bffe Fix another couple of bugs with device numbers > 9 2011-05-02 15:34:35 -07:00
Tom Eastep
8c6bc2ad7c Update release notes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-02 10:18:48 -07:00
Tom Eastep
7cf5072777 Normalize hex numbers before using them in string comparisons 2011-05-02 10:07:01 -07:00
Tom Eastep
453eba2f54 Correct patch for > 9 interfaces with tcfilters 2011-05-02 09:52:31 -07:00
Tom Eastep
46e2a02fe4 More fixes for TC 2011-05-02 09:35:42 -07:00
Tom Eastep
4c27c68c43 Don't allow IFB classes in tcrules 2011-05-02 09:35:31 -07:00
Tom Eastep
f2b9851282 Fix bug in tcfilters with device numbers > 9 2011-05-02 09:34:52 -07:00
Tom Eastep
44bd1708f1 Document TC fixes 2011-05-01 06:39:17 -07:00
Tom Eastep
f8c433c2b3 Another tcclasses manpage update 2011-05-01 06:26:15 -07:00
Tom Eastep
a58303c199 Correct some TC issues 2011-05-01 06:19:57 -07:00
Tom Eastep
8beb80c9c7 Merge branch '4.4.19' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.19 2011-04-30 22:08:18 -07:00
Tom Eastep
d60dfc7be0 Merge branch '4.4.19' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.19 2011-04-30 21:55:40 -07:00
Tom Eastep
b039d9d0fe Augment documentation of the :I and :CI modifiers 2011-04-30 21:54:46 -07:00
Tom Eastep
54f368c413 Document fix for ORIGINAL DEST
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-04-28 12:21:59 -07:00
Tom Eastep
1f362b32f2 Clarify that the tcrules files support ipsets.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-04-28 09:30:16 -07:00
Tom Eastep
2db87891ec Support ipsets in the ORIGINAL DEST column for DNAT and REDIRECT rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-04-28 09:29:54 -07:00
Tom Eastep
2b9c01f298 Correct typo in three-interface doc 2011-04-28 07:42:33 -07:00
Tom Eastep
1bd043a300 Explain internal/external interfaces 2011-04-24 13:09:34 -07:00
Tom Eastep
bcb1aede20 Prepare for 4.4.19.2 2011-04-16 11:28:44 -07:00
40 changed files with 647 additions and 177 deletions

View File

@ -15,6 +15,6 @@
#ZONE TYPE OPTIONS IN OUT #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS # OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 net ipv6
loc ipv4 loc ipv6
dmz ipv4 dmz ipv6

View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-init %define name shorewall-init
%define version 4.4.19 %define version 4.4.19
%define release 1 %define release 4
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name} Name: %{name}
@ -119,6 +119,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Wed May 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-4
* Sat May 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-3
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1 - Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-lite %define name shorewall-lite
%define version 4.4.19 %define version 4.4.19
%define release 1 %define release 4
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -103,6 +103,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Wed May 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-4
* Sat May 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-3
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1 - Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -244,6 +244,7 @@ our $mangle_table;
our $filter_table; our $filter_table;
our $comment; our $comment;
our @comments; our @comments;
my $export;
# #
# Target Types # Target Types
@ -281,13 +282,14 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i an
# See initialize() below for additional comments on these variables # See initialize() below for additional comments on these variables
# #
our $iprangematch; our $iprangematch;
our $chainseq; our %chainseq;
our $idiotcount; our $idiotcount;
our $idiotcount1; our $idiotcount1;
our $warningcount; our $warningcount;
our $hashlimitset; our $hashlimitset;
our $global_variables; our $global_variables;
our $ipset_rules; our $ipset_rules;
# #
# Determines the commands for which a particular interface-oriented shell variable needs to be set # Determines the commands for which a particular interface-oriented shell variable needs to be set
# #
@ -388,8 +390,8 @@ our %builtin_target = ( ACCEPT => 1,
# 2. The compiler can run multiple times in the same process so it has to be # 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state. # able to re-initialize its dependent modules' state.
# #
sub initialize( $$ ) { sub initialize( $$$ ) {
( $family, my $hard ) = @_; ( $family, my $hard, $export ) = @_;
%chain_table = ( raw => {}, %chain_table = ( raw => {},
mangle => {}, mangle => {},
@ -406,9 +408,9 @@ sub initialize( $$ ) {
$comment = ''; $comment = '';
@comments = (); @comments = ();
# #
# Used to sequence chain names. # Used to sequence chain names in each table.
# #
$chainseq = 0; %chainseq = () if $hard;
# #
# Used to suppress duplicate match specifications for old iptables binaries. # Used to suppress duplicate match specifications for old iptables binaries.
# #
@ -747,10 +749,10 @@ sub insert_rule($$$) {
sub delete_chain( $ ) { sub delete_chain( $ ) {
my $chainref = shift; my $chainref = shift;
$chainref->{referenced} = 0; $chainref->{referenced} = 0;
$chainref->{blacklist} = 0; $chainref->{blacklist} = 0;
$chainref->{rules} = []; $chainref->{rules} = [];
$chainref->{references} = {}; $chainref->{references} = {};
trace( $chainref, 'X', undef, '' ) if $debug; trace( $chainref, 'X', undef, '' ) if $debug;
progress_message " Chain $chainref->{name} deleted"; progress_message " Chain $chainref->{name} deleted";
} }
@ -1197,14 +1199,14 @@ sub new_chain($$)
assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) ); assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );
my $chainref = { name => $chain, my $chainref = { name => $chain,
rules => [], rules => [],
table => $table, table => $table,
loglevel => '', loglevel => '',
log => 1, log => 1,
cmdlevel => 0, cmdlevel => 0,
references => {}, references => {},
blacklist => 0 }; blacklist => 0 };
trace( $chainref, 'N', undef, '' ) if $debug; trace( $chainref, 'N', undef, '' ) if $debug;
@ -2093,13 +2095,13 @@ sub setup_zone_mss() {
} }
} }
sub newexclusionchain() { sub newexclusionchain( $ ) {
my $seq = $chainseq++; my $seq = $chainseq{$_[0]}++;
"~excl${seq}"; "~excl${seq}";
} }
sub newlogchain() { sub newlogchain( $ ) {
my $seq = $chainseq++; my $seq = $chainseq{$_[0]}++;
"~log${seq}"; "~log${seq}";
} }
@ -2116,7 +2118,7 @@ sub logchain( $$$$$$ ) {
my $logchainref = $chainref->{logchains}{$key}; my $logchainref = $chainref->{logchains}{$key};
unless ( $logchainref ) { unless ( $logchainref ) {
$logchainref = $chainref->{logchains}{$key} = new_chain $chainref->{table}, newlogchain; $logchainref = $chainref->{logchains}{$key} = new_chain $chainref->{table}, newlogchain( $chainref->{table} ) ;
# #
# Now add the log rule and target rule without matches to the log chain. # Now add the log rule and target rule without matches to the log chain.
# #
@ -2136,7 +2138,7 @@ sub logchain( $$$$$$ ) {
} }
sub newnonatchain() { sub newnonatchain() {
my $seq = $chainseq++; my $seq = $chainseq{nat}++;
"nonat${seq}"; "nonat${seq}";
} }
@ -2168,7 +2170,9 @@ sub source_exclusion( $$ ) {
return $target unless @$exclusions; return $target unless @$exclusions;
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain ); my $table = reftype $target ? $target->{table} : 'filter';
my $chainref = new_chain( $table , newexclusionchain( $table ) );
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions; add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
add_jump( $chainref, $target, 1 ); add_jump( $chainref, $target, 1 );
@ -2181,7 +2185,9 @@ sub dest_exclusion( $$ ) {
return $target unless @$exclusions; return $target unless @$exclusions;
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain ); my $table = reftype $target ? $target->{table} : 'filter';
my $chainref = new_chain( $table , newexclusionchain( $table ) );
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions; add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
add_jump( $chainref, $target, 1 ); add_jump( $chainref, $target, 1 );
@ -2819,6 +2825,10 @@ sub get_set_flags( $$ ) {
$setname =~ s/^\+//; $setname =~ s/^\+//;
unless ( $export || $> != 0 ) {
warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
}
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options "; have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
@ -2870,7 +2880,7 @@ sub conditional_rule_end( $ ) {
add_commands( $chainref , "fi\n" ); add_commands( $chainref , "fi\n" );
} }
sub mysplit( $ ); sub mysplit( $;$ );
# #
# Match a Source. # Match a Source.
@ -2901,7 +2911,7 @@ sub match_source_net( $;$\$ ) {
if ( $net =~ /^\+\[(.+)\]$/ ) { if ( $net =~ /^\+\[(.+)\]$/ ) {
my $result = ''; my $result = '';
my @sets = mysplit $1; my @sets = mysplit $1, 1;
require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1; require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
@ -2951,7 +2961,7 @@ sub match_dest_net( $ ) {
if ( $net =~ /^\+\[(.+)\]$/ ) { if ( $net =~ /^\+\[(.+)\]$/ ) {
my $result = ''; my $result = '';
my @sets = mysplit $1; my @sets = mysplit $1, 1;
require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1; require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
@ -3229,10 +3239,14 @@ sub addnatjump( $$$ ) {
# Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...] # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
# #
sub mysplit( $ ) { sub mysplit( $;$ ) {
my @input = split_list $_[0], 'host'; my ( $input, $loose ) = @_;
return @input unless $_[0] =~ /\[/; my @input = split_list $input, 'host';
return @input unless $input =~ /\[/;
my $exclude = 0;
my @result; my @result;
@ -3245,7 +3259,14 @@ sub mysplit( $ ) {
$element .= ( ',' . shift @input ); $element .= ( ',' . shift @input );
} }
unless ( $loose ) {
fatal_error "Invalid host list ($input)" if $exclude && $element =~ /!/;
$exclude ||= $element =~ /^!/ || $element =~ /\]!/;
}
fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/; fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
} else {
$exclude ||= $element =~ /!/ unless $loose;
} }
push @result, $element; push @result, $element;
@ -3340,7 +3361,7 @@ sub mark_firewall_not_started() {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' ); emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
} else { } else {
emit ( 'qt1 $IPTABLES6 -L shorewall -n && qt1 $IPTABLES6 -F shorewall && qt1 $IPTABLES6 -X shorewall' ); emit ( 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall' );
} }
} }
@ -3961,7 +3982,7 @@ sub expand_rule( $$$$$$$$$$;$ )
( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' ); ( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) { unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
my @iexcl = mysplit $iexcl; my @iexcl = mysplit $iexcl, 1;
if ( @iexcl == 1 ) { if ( @iexcl == 1 ) {
$rule .= match_source_net "!$iexcl" , $restriction; $rule .= match_source_net "!$iexcl" , $restriction;
$iexcl = ''; $iexcl = '';
@ -3979,7 +4000,7 @@ sub expand_rule( $$$$$$$$$$;$ )
( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' ); ( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
unless ( $dnets || $dexcl =~ /^\+\[/ ) { unless ( $dnets || $dexcl =~ /^\+\[/ ) {
my @dexcl = mysplit $dexcl; my @dexcl = mysplit $dexcl, 1;
if ( @dexcl == 1 ) { if ( @dexcl == 1 ) {
$rule .= match_dest_net "!$dexcl"; $rule .= match_dest_net "!$dexcl";
$dexcl = ''; $dexcl = '';
@ -4043,7 +4064,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Create the Exclusion Chain # Create the Exclusion Chain
# #
my $echain = newexclusionchain; my $echain = newexclusionchain( $table );
my $echainref = new_chain $table, $echain; my $echainref = new_chain $table, $echain;
# #
@ -4661,13 +4682,21 @@ sub create_chainlist_reload($) {
my $chains = $_[0]; my $chains = $_[0];
my @chains = split_list $chains, 'chain'; my @chains;
unless ( @chains ) { unless ( $chains eq ':none:' ) {
@chains = qw( blacklst ) if $filter_table->{blacklst}; if ( $chains eq ':refresh:' ) {
push @chains, 'blackout' if $filter_table->{blackout}; $chains = '';
push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; } else {
$chains = join( ',', @chains ) if @chains; @chains = split_list $chains, 'chain';
}
unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst};
push @chains, 'blackout' if $filter_table->{blackout};
push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
$chains = join( ',', @chains ) if @chains;
}
} }
$mode = NULL_MODE; $mode = NULL_MODE;
@ -4690,21 +4719,33 @@ sub create_chainlist_reload($) {
my %chains; my %chains;
my %tables;
for my $chain ( @chains ) { for my $chain ( @chains ) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/; ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/; fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
$chains{$table} = [] unless $chains{$table}; $chains{$table} = {} unless $chains{$table};
if ( $chain ) { if ( $chain ) {
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; my $chainref;
fatal_error "Built-in chains may not be refreshed" if $chain_table{table}{$chain}{builtin}; fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
push @{$chains{$table}}, $chain; fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
} else {
while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) { if ( $chainseq{$table} && @{$chainref->{rules}} ) {
push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin}; warning_message "The entire $table table will be refreshed" unless $tables{$table}++;
} else {
$chains{$table}{$chain} = $chainref;
} }
} else {
$tables{$table} = 1;
}
}
for $table ( keys %tables ) {
while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
} }
} }
@ -4713,14 +4754,14 @@ sub create_chainlist_reload($) {
enter_cat_mode; enter_cat_mode;
for $table qw(raw nat mangle filter) { for $table qw(raw nat mangle filter) {
next unless $chains{$table}; my $tableref=$chains{$table};
next unless $tableref;
@chains = sort keys %$tableref;
emit_unindented "*$table"; emit_unindented "*$table";
my $tableref=$chain_table{$table};
@chains = sort @{$chains{$table}};
for my $chain ( @chains ) { for my $chain ( @chains ) {
my $chainref = $tableref->{$chain}; my $chainref = $tableref->{$chain};
emit_unindented ":$chainref->{name} - [0:0]"; emit_unindented ":$chainref->{name} - [0:0]";

View File

@ -54,7 +54,7 @@ our $family;
# #
sub initialize_package_globals() { sub initialize_package_globals() {
Shorewall::Config::initialize($family); Shorewall::Config::initialize($family);
Shorewall::Chains::initialize ($family, 1); Shorewall::Chains::initialize ($family, 1, $export );
Shorewall::Zones::initialize ($family); Shorewall::Zones::initialize ($family);
Shorewall::Nat::initialize; Shorewall::Nat::initialize;
Shorewall::Providers::initialize($family); Shorewall::Providers::initialize($family);
@ -817,7 +817,7 @@ sub compiler {
# We must reinitialize Shorewall::Chains before generating the iptables-restore input # We must reinitialize Shorewall::Chains before generating the iptables-restore input
# for stopping the firewall # for stopping the firewall
# #
Shorewall::Chains::initialize( $family, 0 ); Shorewall::Chains::initialize( $family, 0 , $export );
initialize_chain_table; initialize_chain_table;
# #
# S T O P _ F I R E W A L L # S T O P _ F I R E W A L L
@ -881,7 +881,7 @@ sub compiler {
# Re-initialize the chain table so that process_routestopped() has the same # Re-initialize the chain table so that process_routestopped() has the same
# environment that it would when called by compile_stop_firewall(). # environment that it would when called by compile_stop_firewall().
# #
Shorewall::Chains::initialize( $family , 0 ); Shorewall::Chains::initialize( $family , 0 , $export );
initialize_chain_table; initialize_chain_table;
if ( $debug ) { if ( $debug ) {

View File

@ -61,6 +61,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
disable_script disable_script
numeric_value numeric_value
numeric_value1 numeric_value1
normalize_hex
hex_value hex_value
in_hex in_hex
in_hex2 in_hex2
@ -411,7 +412,7 @@ sub initialize( $ ) {
EXPORT => 0, EXPORT => 0,
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.19.1", VERSION => "4.4.19.4",
CAPVERSION => 40417 , CAPVERSION => 40417 ,
); );
# #
@ -819,6 +820,16 @@ sub hex_value( $ ) {
use warnings; use warnings;
} }
#
# Strip off superfluous leading zeros from a hex number
#
sub normalize_hex( $ ) {
my $val = lc shift;
$val =~ s/^0// while $val =~ /^0/ && length $val > 1;
$val;
}
# #
# Return the argument expressed in Hex # Return the argument expressed in Hex
# #

View File

@ -466,6 +466,7 @@ sub add_a_provider( ) {
if ( $gateway ) { if ( $gateway ) {
$address = get_interface_address $interface unless $address; $address = get_interface_address $interface unless $address;
emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm"; emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm"; emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
} }

View File

@ -1751,6 +1751,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
} }
if ( $actiontype & NATONLY ) { if ( $actiontype & NATONLY ) {
@ -2013,6 +2014,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
$loglevel = ''; $loglevel = '';
$dest = $server; $dest = $server;
$action = 'ACCEPT'; $action = 'ACCEPT';
$origdest = ALLIP if $origdest =~ /[+]/;
} }
} elsif ( $actiontype & NONAT ) { } elsif ( $actiontype & NONAT ) {
# #

View File

@ -252,10 +252,23 @@ sub process_tc_rule( ) {
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark; require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
} else { } else {
fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/; fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) { if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
$originalmark = join( ':', normalize_hex( $mark ), normalize_hex( $designator ) );
fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} ); fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
fatal_error "IFB Classes may not be specified in tcrules" if @{$tcdevices{$device}{redirected}};
unless ( $tcclasses{$device}{hex_value $designator}{leaf} ) {
warning_message "Non-leaf Class ($originalmark) - tcrule ignored";
return;
}
if ( $dest eq '-' ) {
$dest = $device;
} else {
$dest = join( ':', $device, $dest ) unless $dest =~ /^[[:alpha:]]/;
}
} }
$chain = 'tcpost'; $chain = 'tcpost';
@ -404,6 +417,8 @@ sub process_tc_rule( ) {
} }
} }
fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} | $restriction, $restrictions{$chain} | $restriction,
do_proto( $proto, $ports, $sports) . do_proto( $proto, $ports, $sports) .
@ -602,15 +617,16 @@ sub validate_tc_device( ) {
fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest; fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
if ( defined $number ) { if ( defined $number ) {
$number = normalize_hex( $number );
$devnumber = hex_value( $number ); $devnumber = hex_value( $number );
fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber; fatal_error "Invalid device NUMBER ($number)" unless defined $devnumber && $devnumber && $devnumber < 256;
fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ]; fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
$devnum = $devnumber if $devnumber > $devnum; $devnum = $devnumber if $devnumber > $devnum;
} else { } else {
fatal_error "Missing interface NUMBER"; fatal_error "Missing interface NUMBER";
} }
} else { } elsif ( ( $devnumber = ++$devnum ) > 255 ) {
$devnumber = ++$devnum; fatal_error "Attempting to assign a device number > 255";
} }
$devnums[ $devnumber ] = $device; $devnums[ $devnumber ] = $device;
@ -745,7 +761,6 @@ sub dev_by_number( $ ) {
} }
( $dev , $devref ); ( $dev , $devref );
} }
sub validate_tc_class( ) { sub validate_tc_class( ) {
@ -761,7 +776,7 @@ sub validate_tc_class( ) {
( $device, my ($number, $subnumber, $rest ) ) = split /:/, $device, 4; ( $device, my ($number, $subnumber, $rest ) ) = split /:/, $device, 4;
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest; fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
if ( $device =~ /^(\d+|0x[\da-fA-F]+)$/ ) { if ( $device =~ /^[\da-fA-F]+$/ && ! $tcdevices{$device} ) {
( $number , $classnumber ) = ( hex_value $device, hex_value $number ); ( $number , $classnumber ) = ( hex_value $device, hex_value $number );
( $device , $devref) = dev_by_number( $number ); ( $device , $devref) = dev_by_number( $number );
} else { } else {
@ -777,7 +792,8 @@ sub validate_tc_class( ) {
$classnumber = hex_value $subnumber; $classnumber = hex_value $subnumber;
} }
fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber; fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber && $classnumber < 0x8000;
fatal_error "Reserved class number (1)" if $classnumber == 1;
fatal_error "Duplicate interface:class number ($number:$classnumber}" if $tcclasses{$device}{$classnumber}; fatal_error "Duplicate interface:class number ($number:$classnumber}" if $tcclasses{$device}{$classnumber};
} else { } else {
fatal_error "Missing interface NUMBER"; fatal_error "Missing interface NUMBER";
@ -824,9 +840,11 @@ sub validate_tc_class( ) {
# Nested Class # Nested Class
# #
$parentref = $tcref->{$parentclass}; $parentref = $tcref->{$parentclass};
fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1; my $parentnum = in_hexp $parentclass;
fatal_error "The class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax}; fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
fatal_error "The class ($parentclass) specifies flow; it cannot serve as a parent" if $parentref->{flow}; fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent" if $parentref->{flow};
fatal_error "The default class ($parentnum) may not have sub-classes" if $devref->{default} == $parentclass;
$parentref->{leaf} = 0; $parentref->{leaf} = 0;
$ratemax = $parentref->{rate}; $ratemax = $parentref->{rate};
$ratename = q(the parent class's RATE); $ratename = q(the parent class's RATE);
@ -845,6 +863,7 @@ sub validate_tc_class( ) {
$dmax = convert_delay( $dmax ); $dmax = convert_delay( $dmax );
$umax = convert_size( $umax ); $umax = convert_size( $umax );
fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
$parentclass ||= 1;
} else { } else {
$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename ); $rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
} }
@ -976,9 +995,15 @@ sub process_tc_filter() {
my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 ); my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
( $device , my $devref ) = dev_by_number( $device ); my $devref;
my $devnum = $devref->{number}; if ( $device =~ /^[\da-fA-F]+$/ && ! $tcdevices{$device} ) {
( $device, $devref ) = dev_by_number( hex_value( $device ) );
} else {
( $device , $devref ) = dev_by_number( $device );
}
my $devnum = in_hexp $devref->{number};
my $tcref = $tcclasses{$device}; my $tcref = $tcclasses{$device};
@ -993,6 +1018,13 @@ sub process_tc_filter() {
fatal_error "Unknown CLASS ($devclass)" unless $tcref && $tcref->{occurs}; fatal_error "Unknown CLASS ($devclass)" unless $tcref && $tcref->{occurs};
fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1; fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
unless ( $tcref->{leaf} ) {
warning_message "Filter specifying a non-leaf CLASS ($devnum:$class) ignored";
return;
}
my $have_rule = 0;
if ( $devref->{physical} ne $lastdevice ) { if ( $devref->{physical} ne $lastdevice ) {
if ( $lastdevice ) { if ( $lastdevice ) {
pop_indent; pop_indent;
@ -1009,11 +1041,13 @@ sub process_tc_filter() {
if ( $source ne '-' ) { if ( $source ne '-' ) {
my ( $net , $mask ) = decompose_net( $source ); my ( $net , $mask ) = decompose_net( $source );
$rule .= "\\\n match $ip32 src $net/$mask"; $rule .= "\\\n match $ip32 src $net/$mask";
$have_rule = 1;
} }
if ( $dest ne '-' ) { if ( $dest ne '-' ) {
my ( $net , $mask ) = decompose_net( $dest ); my ( $net , $mask ) = decompose_net( $dest );
$rule .= "\\\n match $ip32 dst $net/$mask"; $rule .= "\\\n match $ip32 dst $net/$mask";
$have_rule = 1;
} }
if ( $tos ne '-' ) { if ( $tos ne '-' ) {
@ -1032,6 +1066,7 @@ sub process_tc_filter() {
} }
$rule .= "\\\n match $ip32 tos $tosval $mask"; $rule .= "\\\n match $ip32 tos $tosval $mask";
$have_rule = 1;
} }
if ( $length ne '-' ) { if ( $length ne '-' ) {
@ -1039,6 +1074,7 @@ sub process_tc_filter() {
my $mask = $validlengths{$len}; my $mask = $validlengths{$len};
fatal_error "Invalid LENGTH ($length)" unless $mask; fatal_error "Invalid LENGTH ($length)" unless $mask;
$rule .="\\\n match u16 0x0000 $mask at $lo"; $rule .="\\\n match u16 0x0000 $mask at $lo";
$have_rule = 1;
} }
my $protonumber = 0; my $protonumber = 0;
@ -1046,13 +1082,20 @@ sub process_tc_filter() {
unless ( $proto eq '-' ) { unless ( $proto eq '-' ) {
$protonumber = resolve_proto $proto; $protonumber = resolve_proto $proto;
fatal_error "Unknown PROTO ($proto)" unless defined $protonumber; fatal_error "Unknown PROTO ($proto)" unless defined $protonumber;
$rule .= "\\\n match $ip32 protocol $protonumber 0xff" if $protonumber; if ( $protonumber ) {
$rule .= "\\\n match $ip32 protocol $protonumber 0xff";
$have_rule = 1;
}
} }
if ( $portlist eq '-' && $sportlist eq '-' ) { if ( $portlist eq '-' && $sportlist eq '-' ) {
emit( "\nrun_tc $rule\\" , if ( $have_rule ) {
" flowid $devref->{number}:$class" , emit( "\nrun_tc $rule\\" ,
'' ); " flowid $devnum:$class" ,
'' );
} else {
warning_message "Degenerate tcfilter ignored";
}
} else { } else {
fatal_error "Ports may not be specified without a PROTO" unless $protonumber; fatal_error "Ports may not be specified without a PROTO" unless $protonumber;
our $lastrule; our $lastrule;
@ -1113,7 +1156,7 @@ sub process_tc_filter() {
emit( "\nrun_tc $rule\\" , emit( "\nrun_tc $rule\\" ,
" $rule1\\" , " $rule1\\" ,
" flowid $devref->{number}:$class" ); " flowid $devnum:$class" );
} }
} }
} else { } else {
@ -1131,7 +1174,7 @@ sub process_tc_filter() {
$rule1 .= "\\\n match icmp code $icmpcode 0xff" if defined $icmpcode; $rule1 .= "\\\n match icmp code $icmpcode 0xff" if defined $icmpcode;
emit( "\nrun_tc ${rule}\\" , emit( "\nrun_tc ${rule}\\" ,
"$rule1\\" , "$rule1\\" ,
" flowid $devref->{number}:$class" ); " flowid $devnum:$class" );
} elsif ( $protonumber == IPv6_ICMP ) { } elsif ( $protonumber == IPv6_ICMP ) {
fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4; fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4;
fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-'; fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-';
@ -1142,7 +1185,7 @@ sub process_tc_filter() {
$rule1 .= "\\\n match icmp6 code $icmpcode 0xff" if defined $icmpcode; $rule1 .= "\\\n match icmp6 code $icmpcode 0xff" if defined $icmpcode;
emit( "\nrun_tc ${rule}\\" , emit( "\nrun_tc ${rule}\\" ,
"$rule1\\" , "$rule1\\" ,
" flowid $devref->{number}:$class" ); " flowid $devnum:$class" );
} else { } else {
my @portlist = expand_port_range $protonumber , $portrange; my @portlist = expand_port_range $protonumber , $portrange;
@ -1162,7 +1205,7 @@ sub process_tc_filter() {
if ( $sportlist eq '-' ) { if ( $sportlist eq '-' ) {
emit( "\nrun_tc ${rule}\\" , emit( "\nrun_tc ${rule}\\" ,
" $rule1\\" , " $rule1\\" ,
" flowid $devref->{number}:$class" ); " flowid $devnum:$class" );
} else { } else {
for my $sportrange ( split_list $sportlist , 'port list' ) { for my $sportrange ( split_list $sportlist , 'port list' ) {
my @sportlist = expand_port_range $protonumber , $sportrange; my @sportlist = expand_port_range $protonumber , $sportrange;
@ -1183,7 +1226,7 @@ sub process_tc_filter() {
emit( "\nrun_tc ${rule}\\", emit( "\nrun_tc ${rule}\\",
" $rule1\\" , " $rule1\\" ,
" $rule2\\" , " $rule2\\" ,
" flowid $devref->{number}:$class" ); " flowid $devnum:$class" );
} }
} }
} }
@ -1264,6 +1307,13 @@ sub process_tc_priority() {
return; return;
} }
fatal_error "Invalid tcpri entry" if ( $proto eq '-' &&
$ports eq '-' &&
$address eq '-' &&
$interface eq '-' &&
$helper eq '-' );
my $val = numeric_value $band; my $val = numeric_value $band;
fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3; fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@ -1376,6 +1426,8 @@ sub setup_traffic_shaping() {
my $devnum = in_hexp $devref->{number}; my $devnum = in_hexp $devref->{number};
my $r2q = int calculate_r2q $devref->{out_bandwidth}; my $r2q = int calculate_r2q $devref->{out_bandwidth};
fatal_error "No default class defined for device $device" unless $devref->{default};
$device = physical_name $device; $device = physical_name $device;
my $dev = chain_base( $device ); my $dev = chain_base( $device );
@ -1500,7 +1552,11 @@ sub setup_traffic_shaping() {
if ( $tcref->{leaf} && ! $tcref->{pfifo} ) { if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
$sfqinhex = in_hexp( ++$sfq); $sfqinhex = in_hexp( ++$sfq);
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ); if ( $devref->{qdisc} eq 'htb' ) {
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
} else {
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
}
} }
# #
# add filters # add filters
@ -1513,7 +1569,7 @@ sub setup_traffic_shaping() {
# #
# options # options
# #
emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack}; emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
for my $tospair ( @{$tcref->{tos}} ) { for my $tospair ( @{$tcref->{tos}} ) {
my ( $tos, $mask ) = split q(/), $tospair; my ( $tos, $mask ) = split q(/), $tospair;

View File

@ -73,7 +73,7 @@ my $shorewall_dir = '';
my $verbose = 0; my $verbose = 0;
my $timestamp = 0; my $timestamp = 0;
my $debug = 0; my $debug = 0;
my $chains = ''; my $chains = ':none:';
my $log = ''; my $log = '';
my $log_verbose = 0; my $log_verbose = 0;
my $help = 0; my $help = 0;

View File

@ -509,10 +509,10 @@ undo_routing() {
# #
save_default_route() { save_default_route() {
awk \ awk \
'BEGIN {default=0;}; \ 'BEGIN {defroute=0;};
/^default / {default=1; print; next}; \ /^default / {deroute=1; print; next};
/nexthop/ {if (default == 1 ) {print ; next} }; \ /nexthop/ {if (defroute == 1 ) {print ; next} };
{ default=0; };' { defroute=0; };'
} }
# #

View File

@ -497,10 +497,10 @@ undo_routing() {
# #
save_default_route() { save_default_route() {
awk \ awk \
'BEGIN {default=0;}; \ 'BEGIN {defroute=0;};
/^default / {default=1; print; next}; \ /^default / {defroute=1; print; next};
/nexthop/ {if (default == 1 ) {print ; next} }; \ /nexthop/ {if (defroute == 1 ) {print ; next} };
{ default=0; };' { defroute=0; };'
} }
# #

View File

@ -1,3 +1,36 @@
Changes in Shorewall 4.4.19.4
1) Disallow degenerate entry in tcpri.
2) More fixes to LIBEXEC/TCPRI
3) Don't allow filters and tcrules to refer to non-leaf classes.
4) Issue warning on missing ipset.
5) Fix logging and exclusion vs 'refresh'.
6) Fix deletion of IPv6 'shorewall' chain.
Changes in Shorewall 4.4.19.3
1) Eliminate issue with 'gawk'.
2) Ensure that a host route to the gateway exists in the main table.
3) Only allow USER/GROUP in the OUTPUT chain.
4) Restrict output interface in CLASSIFY TC rules.
Changes in Shorewall 4.4.19.2
1) Restore the ability to have IPSET names in the ORIGINAL DEST column
of a DNAT or REDIRECT rule.
2) Correct several complex TC issues reported by Mr Dash4.
3) Detect double exclusion involving ipset expressions.
Changes in Shorewall 4.4.19.1 Changes in Shorewall 4.4.19.1
1) Eliminate silly duplicate rule when stopped. 1) Eliminate silly duplicate rule when stopped.

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -20,3 +20,94 @@
Corrected in Shorewall 4.4.19.1 Corrected in Shorewall 4.4.19.1
4) There are several known problems in Complex TC:
a) The following entry in /etc/shorewall/tcclasses
A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack
produces this error:
ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses
b) Shorewall reserves class number 1 for the root class of the
queuing discipline. Definining class 1 in
/etc/shorewall/tcclasses results in a run-time error.
c) The compiler does not complain if a CLASSID specified in the MARK
column of tcrules refers to an IFB class. Such a rule is
nonsensical since packets are passed through the IFB before
they are passed through any marking rules.
d) Where there are more than 10 tcdevices, tcfilter entries can
generate invalid rules.
These problems are corrected in Shorewall 4.4.19.2.
3) Double exclusion involving ipset lists is not detected,
resulting in anomalous behavior.
Example:
ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
Corrected in Shorewall 4.4.19.2.
4) The changes in 4.4.19.1 that corrected long-standing issues with
default route save/restore are incompatible with 'gawk'. When
'gawk' is installed (rather than 'mawk'), awk syntax errors having
to do with the symbol 'default' were issued.
Workaround: Install mawk
Corrected in Shorewall 4.4.19.3.
5) An entry in the USER/GROUP column in the rules and tcrules files
can cause run-time start/restart failures if the rule(s) being
added did not have the firewall as the source or and was not being
added to the POSTROUTING chain.
Workaround: Insure that all USER/GROUP matches are only specified
when the SOURCE is $FW (rules file) or is being added to the
POSTROUTING chain (:T designator in the tcrules file).
Corrected in Shorewall 4.4.19.3.
6) The compiler allow degenerate entries (only the BAND column
specified) in /etc/shorewall/tcpri. Such entries cause a run-time
failure during start/restart.
Corrected in Shorewall 4.4.19.4.
7) It is possible to specify tcfilters and tcrules that classify
traffic with the class-id of a non-leaf HFSC class. Such
classes are not capabable of handling packets.
If a non-leaf class is specified as the default class, then
a run-time start/restart failure occurs.
Corrected in Shorewall 4.4.19.4.
8) Shorewall does not check for the existance of ipsets mentioned in
the configuration, potentially resulting in a run-time
start/restart failure.
Corrected in Shorewall 4.4.19.4.
9) As currently implemented, the 'refresh' command can fail or
can result in a ruleset other than what was intended. If there
have been changes in the ruleset since it was originally
started/restarted/restored that added or deleted sequenced chains
(chains such as ~lognnn and ~exclnnn), the resulting ruleset can
jump to the wrong such chains or can fail to 'refresh'
successfully.
Workaround: Use 'restart' rather than 'refresh'
Corrected in Shorewall 4.4.19.4.
10) 'shorewall6 refresh' issues a harmless 'ip6tables: Chain exists'
error message.
Corrected in Shorewall 4.4.19.4.

View File

@ -1,5 +1,5 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 9 . 1 S H O R E W A L L 4 . 4 . 1 9 . 4
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE I. PROBLEMS CORRECTED IN THIS RELEASE
@ -13,6 +13,144 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
4.4.19.4
1) Previously, the compiler would allow a degenerate entry (only the
BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
compilation error.
2) Previously, it was possible to specify tcfilters and tcrules that
classified traffic with the class-id of a non-leaf HFSC class. Such
classes are not capabable of handling packets.
Shorewall now generates a compile-time warning in this case and
ignores the entry.
If a non-leaf class is specified as the default class, then
Shorewall now generates a compile-time error since that
configuration allows no network traffic to flow.
3) Traditionally, Shorewall has not checked for the existance of
ipsets mentioned in the configuration, potentially resulting in a
run-time start/restart failure. Now, the compiler will issue a
WARNING if:
a) The compiler is being run by root.
b) The compilation isn't producing a script to run on a remote
system under a -lite product.
c) An ipset appearing in the configuration does not exist on the
local system.
4) As previously implemented, the 'refresh' command could fail or
could result in a ruleset other than what was intended. If there
had been changes in the ruleset since it was originally
started/restarted/restored that added or deleted sequenced chains
(chains such as ~lognnn and ~exclnnn), the resulting ruleset could
jump to the wrong such chains or could fail to 'refresh'
successfully.
This issue has been corrected as follows. When a 'refresh' is done
and individual chains are involved, then each table that contains
both sequenced chains and one of the chains being refreshed is
refreshed in its entirety.
For example, if 'shorwall refresh foo' is issued and the filter
table (which is the default) contains any sequenced chains, then
the entire table is reloaded. Note that this reload operation is
atomic so no packets are passed through an inconsistent
configuration.
5) When 'shorewall6 refresh' was run previously, a harmless
'ip6tables: Chain exists' message was generated.
4.4.19.3
1) The changes in 4.4.19.1 that corrected long-standing issues with
default route save/restore were incompatible with 'gawk'. When
'gawk' was installed (rather than 'mawk'), awk syntax errors having
to do with the symbol 'default' were issued.
This incompatibility has been corrected.
2) Previously, an entry in the USER/GROUP column in the rules and
tcrules files could cause run-time start/restart failures if the
rule(s) being added did not have the firewall as the source (rules
file) and were not being added to the POSTROUTING chain (:T
designator in the tcrules file). This error is now caught by
the compiler.
3) Shorewall now insures that a route to a default gateway exists in
the main table before it attempts to add a default route through
that gateway in a provider table. This prevents start/restart
failures in the rare event that such a route does not exist.
4) CLASSIFY TC rules can apply to traffic exiting only the interface
associated with the class-id specified in the first column. In a
Multi-ISP configuration, a naive user might create this TC rule:
1:2 - 1.2.3.4
This will work fine when 1.2.3.4 can only be routed out of a single
interface. However, if we assume that eth0 is interface 1, then the
above rule only works for traffic leaving via eth0.
Beginning with this release, the Shorewall compiler will interpret
the above rule as this one:
1.2 - eth0:1.2.3.4
4.4.19.2
1) In Shorewall-shell, there was the ability to specify IPSET names in
the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
inadvertently dropped in Shorewall-perl, has been restored.
CAUTION: When an IPSET is used in this way, the server port is
opened from the SOURCE zone.
Example:
DNAT net dmz:10.1.1.2 tcp 80 - +foo
will implicitly add this rule
ACCEPT net dmz:10.1.1.2 tcp 80
2) Several problems with complex TC have been corrected:
a) The following entry in /etc/shorewall/tcclasses
A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack
produced this error:
ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses
This has been corrected.
b) Shorewall reserves class number 1 for the root class of the
queuing discipline. Definining class 1 in
/etc/shorewall/tcclasses was previoulsly escaping detection by
the compiler, resulting in a run-time error.
c) The compiler did not complain if a CLASSID specified in the MARK
column of tcrules referred to an IFB class. Such a rule would be
nonsensical since packets are passed through the IFB before
they are passed through any marking rules. Such a configuration
now results in a compilation error.
d) Where there are more than 10 tcdevices, tcfilter entries could
generate invalid rules.
3) Double exclusion involving ipset lists was previously not detected,
resulting in anomalous behavior.
Example:
ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
Such cases now result in a compilation error.
4.4.19.1 4.4.19.1
1) A duplicate ACCEPT rule in the INPUT chain has been eliminated when 1) A duplicate ACCEPT rule in the INPUT chain has been eliminated when

View File

@ -363,11 +363,12 @@ compiler() {
PERL=/usr/bin/perl PERL=/usr/bin/perl
fi fi
if [ $g_perllib = share/shorewall ]; then if [ $g_perllib != ${g_libexec}/shorewall ]; then
$PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@ PERL5LIB=/usr/$g_perllib
else export PERL5LIB
PERL5LIB=$g_perllib $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
fi fi
$PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
} }
# #
@ -825,6 +826,8 @@ refresh_command() {
g_refreshchains="$g_refreshchains,$1" g_refreshchains="$g_refreshchains,$1"
shift shift
done done
else
g_refreshchains=:refresh:
fi fi
shorewall_is_started || fatal_error "Shorewall is not running" shorewall_is_started || fatal_error "Shorewall is not running"
@ -1469,7 +1472,7 @@ g_verbose_offset=0
g_use_verbosity= g_use_verbosity=
g_debug= g_debug=
g_export= g_export=
g_refreshchains= g_refreshchains=:none:
# #
# Make sure that these variables are cleared # Make sure that these variables are cleared

View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 4.4.19 %define version 4.4.19
%define release 1 %define release 4
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -109,6 +109,12 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog %changelog
* Wed May 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-4
* Sat May 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-3
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1 - Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall6-lite %define name shorewall6-lite
%define version 4.4.19 %define version 4.4.19
%define release 1 %define release 4
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -94,6 +94,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Wed May 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-4
* Sat May 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-3
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1 - Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -300,11 +300,12 @@ compiler() {
PERL=/usr/bin/perl PERL=/usr/bin/perl
fi fi
if [ $g_perllib = share/shorewall ]; then if [ $g_perllib != ${g_libexec}/shorewall ]; then
$command $PERL $debugflags $pc $options $@ PERL5LIB=$g_perllib
else export PERL5LIB
$command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@
fi fi
$command $PERL $debugflags $pc $options $@
} }
# #
@ -756,6 +757,8 @@ refresh_command() {
g_refreshchains="$g_refreshchains,$1" g_refreshchains="$g_refreshchains,$1"
shift shift
done done
else
g_refreshchains=:refresh:
fi fi
shorewall6_is_started || fatal_error "Shorewall6 is not running" shorewall6_is_started || fatal_error "Shorewall6 is not running"
@ -1377,6 +1380,7 @@ g_verbose_offset=0
g_use_verbosity= g_use_verbosity=
g_debug= g_debug=
g_export= g_export=
g_refreshchains=:none:
g_noroutes= g_noroutes=
g_purge= g_purge=

View File

@ -1,6 +1,6 @@
%define name shorewall6 %define name shorewall6
%define version 4.4.19 %define version 4.4.19
%define release 1 %define release 4
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -98,6 +98,12 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog %changelog
* Wed May 11 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-4
* Sat May 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-3
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1 - Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19.1 VERSION=4.4.19.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -652,9 +652,10 @@
<entry>firewall stop</entry> <entry>firewall stop</entry>
<entry>Only traffic to/from hosts listed in /etc/shorewall/hosts <entry>Only traffic to/from hosts listed in
is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes /etc/shorewall/routestopped is passed to/from/through the
in /etc/shorewall/shorewall.conf then in addition, all existing firewall. If ADMINISABSENTMINDED=Yes in
/etc/shorewall/shorewall.conf then in addition, all existing
connections are retained and all connection requests from the connections are retained and all connection requests from the
firewall are accepted.</entry> firewall are accepted.</entry>
</row> </row>

View File

@ -258,7 +258,7 @@ dmz ipv4</programlisting>Zone names are defined in
<filename>/etc/shorewall/zones</filename>.</para> <filename>/etc/shorewall/zones</filename>.</para>
<para>Note that Shorewall recognizes the firewall system as its own zone. <para>Note that Shorewall recognizes the firewall system as its own zone.
When the /etc/shorewall/zones file is processed, he name of the firewall When the /etc/shorewall/zones file is processed, the name of the firewall
zone is stored in the shell variable <firstterm>$FW</firstterm> which may zone is stored in the shell variable <firstterm>$FW</firstterm> which may
be used throughout the Shorewall configuration to refer to the firewall be used throughout the Shorewall configuration to refer to the firewall
zone.</para> zone.</para>

View File

@ -38,7 +38,10 @@
<listitem> <listitem>
<para>Host address, network address, MAC address, IP address range <para>Host address, network address, MAC address, IP address range
(if your kernel and iptables contain iprange match support) or ipset (if your kernel and iptables contain iprange match support) or ipset
name prefaced by "+" (if your kernel supports ipset match).</para> name prefaced by "+" (if your kernel supports ipset match).
Exclusion (<ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
supported.</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a <para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para> separator.</para>

View File

@ -134,7 +134,8 @@
classify option is not given, you may still specify a classify option is not given, you may still specify a
<emphasis>class</emphasis> or you may have Shorewall generate a <emphasis>class</emphasis> or you may have Shorewall generate a
class number from the MARK value. Interface numbers and class class number from the MARK value. Interface numbers and class
numbers are always assumed to be specified in hex.</para> numbers are always assumed to be specified in hex and class number 1
is reserved as the root class of the queuing discipline.</para>
<para>You may NOT specify wildcards here, e.g. if you have multiple <para>You may NOT specify wildcards here, e.g. if you have multiple
ppp interfaces, you need to put them all in here!</para> ppp interfaces, you need to put them all in here!</para>
@ -500,12 +501,13 @@
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para> url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcdevices(5),
shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

View File

@ -126,7 +126,12 @@
<para>Optional. If given specifies whether the interface is <para>Optional. If given specifies whether the interface is
<emphasis role="bold">external</emphasis> (facing toward the <emphasis role="bold">external</emphasis> (facing toward the
Internet) or <emphasis role="bold">internal</emphasis> (facing Internet) or <emphasis role="bold">internal</emphasis> (facing
toward a local network) and enables SFQ flow classification.</para> toward a local network) and enables SFQ flow classification.
<emphasis role="bold">external</emphasis> causes the traffic
generated by each unique source IP address to be treated as a single
flow. <emphasis role="bold">internal</emphasis> causes the traffic
generated by each unique destination IP address to be treated as a
single flow. </para>
<note> <note>
<para>Simple traffic shaping is only useful on interfaces where <para>Simple traffic shaping is only useful on interfaces where
@ -203,12 +208,13 @@
url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para> url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

View File

@ -80,18 +80,19 @@
marks (see below).</para> marks (see below).</para>
<para>May optionally be followed by <emphasis <para>May optionally be followed by <emphasis
role="bold">:P</emphasis>, <emphasis
role="bold">:F</emphasis>,<emphasis role="bold">:T</emphasis> or
<emphasis role="bold">:I</emphasis> where<emphasis role="bold">
:P</emphasis> indicates that marking should occur in the
PREROUTING chain, <emphasis role="bold">:F</emphasis> indicates
that marking should occur in the FORWARD chain, <emphasis
role="bold">:I </emphasis>indicates that marking should occur in
the INPUT chain (added in Shorewall 4.4.13), and <emphasis
role="bold">:T</emphasis> indicates that marking should occur in
the POSTROUTING chain. If neither <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis> role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis> where<emphasis nor <emphasis role="bold">:T</emphasis> follow the mark value
role="bold"> :P</emphasis> indicates that marking should occur then the chain is determined as follows:</para>
in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
indicates that marking should occur in the FORWARD chain, :I
indicates that marking should occur in the INPUT chain (added in
Shorewall 4.4.13), and <emphasis role="bold">:T</emphasis>
indicates that marking should occur in the POSTROUTING chain. If
neither <emphasis role="bold">:P</emphasis>, <emphasis
role="bold">:F</emphasis> nor <emphasis
role="bold">:T</emphasis> follow the mark value then the chain
is determined as follows:</para>
<para>- If the SOURCE is <emphasis <para>- If the SOURCE is <emphasis
role="bold">$FW</emphasis>[<emphasis role="bold">$FW</emphasis>[<emphasis
@ -106,13 +107,17 @@
MARK_IN_FORWARD_CHAIN in <ulink MARK_IN_FORWARD_CHAIN in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>Please note that <emphasis role="bold">:I</emphasis> is
included for completeness and affects neither traffic shaping
nor policy routing.</para>
<para>If your kernel and iptables include CONNMARK support then <para>If your kernel and iptables include CONNMARK support then
you can also mark the connection rather than the packet.</para> you can also mark the connection rather than the packet.</para>
<para>The mark value may be optionally followed by "/" and a <para>The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection mark mask value (used to determine those bits of the connection mark
to actually be set). The mark and optional mask are then to actually be set). The mark and optional mask are then
followed by one of:+</para> followed by one of:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -147,6 +152,16 @@
<para>Mark the connecdtion in the POSTROUTING chain</para> <para>Mark the connecdtion in the POSTROUTING chain</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>CI</term>
<listitem>
<para>Mark the connection in the INPUT chain. This option
is included for completeness and has no applicability to
traffic shaping or policy routing.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para><emphasis role="bold">Special considerations for If <para><emphasis role="bold">Special considerations for If
@ -432,6 +447,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
packets originating on the firewall. May not be used with a packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para> chain qualifier (:P, :F, etc.) in the MARK column.</para>
</listitem> </listitem>
<listitem>
<para><replaceable>address-or-range</replaceable> may include
ipsets.</para>
</listitem>
</orderedlist> </orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a <para>MAC addresses must be prefixed with "~" and use "-" as a
@ -474,6 +494,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
itself or qualified by an address list. This causes marking to itself or qualified by an address list. This causes marking to
occur in the INPUT chain.</para> occur in the INPUT chain.</para>
</listitem> </listitem>
<listitem>
<para><replaceable>address-or-range</replaceable> may include
ipsets.</para>
</listitem>
</orderedlist> </orderedlist>
<para>You may exclude certain hosts from the set already defined <para>You may exclude certain hosts from the set already defined
@ -598,7 +623,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TEST</emphasis> - [<emphasis <term><emphasis role="bold">TEST</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term> role="bold">:C</emphasis>]</term>
@ -665,7 +690,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TOS</emphasis> - <term><emphasis role="bold">TOS</emphasis> (Optional) -
<emphasis>tos</emphasis></term> <emphasis>tos</emphasis></term>
<listitem> <listitem>
@ -681,7 +706,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONNBYTES</emphasis> - <term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
[!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis [!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
role="bold">B</emphasis>}[:{<emphasis role="bold">B</emphasis>}[:{<emphasis
@ -728,7 +753,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HELPER - <term><emphasis role="bold">HELPER (Optional) -
</emphasis><emphasis>helper</emphasis></term> </emphasis><emphasis>helper</emphasis></term>
<listitem> <listitem>
@ -805,10 +830,10 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>

View File

@ -38,8 +38,10 @@
<listitem> <listitem>
<para>Host address, network address, MAC address, IP address range <para>Host address, network address, MAC address, IP address range
(if your kernel and ip6tables contain iprange match support) or (if your kernel and ip6tables contain iprange match support) or
ipset name prefaced by "+" (if your kernel supports ipset ipset name prefaced by "+" (if your kernel supports ipset match).
match).</para> Exclusion (<ulink
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
supported.</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a <para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para> separator.</para>

View File

@ -117,7 +117,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> - <term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis>[:<emphasis>class</emphasis>]</term> <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
<listitem> <listitem>
<para>Name of <emphasis>interface</emphasis>. Each interface may be <para>Name of <emphasis>interface</emphasis>. Each interface may be
@ -141,7 +141,8 @@
file.</para> file.</para>
<para>Normally, all classes defined here are sub-classes of a root <para>Normally, all classes defined here are sub-classes of a root
class that is implicitly defined from the entry in <ulink class (class number 1) that is implicitly defined from the entry in
<ulink
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
can establish a class hierarchy by specifying a can establish a class hierarchy by specifying a
<emphasis>parent</emphasis> class -- the number of a class that you <emphasis>parent</emphasis> class -- the number of a class that you
@ -454,8 +455,8 @@
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para> shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

View File

@ -126,7 +126,12 @@
<para>Optional. If given specifies whether the interface is <para>Optional. If given specifies whether the interface is
<emphasis role="bold">external</emphasis> (facing toward the <emphasis role="bold">external</emphasis> (facing toward the
Internet) or <emphasis role="bold">internal</emphasis> (facing Internet) or <emphasis role="bold">internal</emphasis> (facing
toward a local network) and enables SFQ flow classification.</para> toward a local network) and enables SFQ flow classification.
<emphasis role="bold">external</emphasis> causes the traffic
generated by each unique source IP address to be treated as a single
flow. <emphasis role="bold">internal</emphasis> causes the traffic
generated by each unique destination IP address to be treated as a
single flow. </para>
<note> <note>
<para>Simple traffic shaping is only useful on interfaces where <para>Simple traffic shaping is only useful on interfaces where

View File

@ -103,6 +103,10 @@
MARK_IN_FORWARD_CHAIN in <ulink MARK_IN_FORWARD_CHAIN in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Please note that <emphasis role="bold">:I</emphasis> is
included for completeness and affects neither traffic shaping
nor policy routing.</para>
<para>If your kernel and ip6tables include CONNMARK support then <para>If your kernel and ip6tables include CONNMARK support then
you can also mark the connection rather than the packet.</para> you can also mark the connection rather than the packet.</para>
@ -144,6 +148,16 @@
<para>Mark the connection in the POSTROUTING chain</para> <para>Mark the connection in the POSTROUTING chain</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>CI</term>
<listitem>
<para>Mark the connection in the INPUT chain. This option
is included for completeness and has no applicability to
traffic shaping or policy routing.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para><emphasis role="bold">Special considerations for If <para><emphasis role="bold">Special considerations for If
@ -292,11 +306,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
names, IP addresses, MAC addresses and/or subnets for packets being names, IP addresses, MAC addresses and/or subnets for packets being
routed through a common path. List elements may also consist of an routed through a common path. List elements may also consist of an
interface name followed by ":" and an address (e.g., interface name followed by ":" and an address (e.g.,
eth1:&lt;2002:ce7c:92b4::/48&gt;). For example, all packets for eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. For example, all
connections masqueraded to eth0 from other interfaces can be matched packets for connections masqueraded to eth0 from other interfaces
in a single rule with several alternative SOURCE criteria. However, can be matched in a single rule with several alternative SOURCE
a connection whose packets gets to eth0 in a different way, e.g., criteria. However, a connection whose packets gets to eth0 in a
direct from the firewall itself, needs a different rule.</para> different way, e.g., direct from the firewall itself, needs a
different rule.</para>
<para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
own separate rule for packets originating on the firewall. In such a own separate rule for packets originating on the firewall. In such a
@ -330,8 +345,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
addresses and/or subnets. If your kernel and ip6tables include addresses and/or subnets. If your kernel and ip6tables include
iprange match support, IP address ranges are also allowed. List iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. If
<emphasis role="bold">MARK</emphasis> column specificies a the <emphasis role="bold">MARK</emphasis> column specificies a
classification of the form classification of the form
<emphasis>major</emphasis>:<emphasis>minor</emphasis> then this <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
column may also contain an interface name.</para> column may also contain an interface name.</para>
@ -452,7 +467,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TEST</emphasis> - [<emphasis <term><emphasis role="bold">TEST</emphasis>(Optional) - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term> role="bold">:C</emphasis>]</term>
@ -519,7 +534,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">TOS</emphasis> - <term><emphasis role="bold">TOS</emphasis> (Optional) -
<emphasis>tos</emphasis></term> <emphasis>tos</emphasis></term>
<listitem> <listitem>
@ -535,7 +550,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CONNBYTES</emphasis> - <term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
[!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis [!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
role="bold">B</emphasis>}[:{<emphasis role="bold">B</emphasis>}[:{<emphasis
@ -582,7 +597,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HELPER - <term><emphasis role="bold">HELPER (Optional) -
</emphasis><emphasis>helper</emphasis></term> </emphasis><emphasis>helper</emphasis></term>
<listitem> <listitem>