diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/changelog.txt shorewall-4.4.5/changelog.txt --- shorewall-4.4.4/changelog.txt 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/changelog.txt 2009-12-19 07:35:30.000000000 -0800 @@ -1,3 +1,33 @@ +Changes in Shorewall 4.4.5 + +1) Fix 15-port limit removal change. + +2) Fix handling of interfaces with the 'bridge' option. + +3) Generate error for port number 0 + +4) Allow zone::serverport in rules DEST column. + +5) Fix 'show policies' in Shorewall6. + +6) Auto-load tc modules. + +7) Allow LOGFILE=/dev/null + +8) Fix shorewall6-lite/shorecap + +9) Fix MODULE_SUFFIX. + +10) Fix ENHANCED_REJECT detection for IPv4. + +11) Fix DONT_LOAD vs 'reload -c' + +12) Fix handling of SOURCE and DEST vs macros. + +13) Remove silly logic in expand_rule(). + +14) Add current and limit to Conntrack Table Heading. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/install.sh shorewall-4.4.5/install.sh --- shorewall-4.4.4/install.sh 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/install.sh 2009-12-19 07:35:30.000000000 -0800 @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status { diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/known_problems.txt shorewall-4.4.5/known_problems.txt --- shorewall-4.4.4/known_problems.txt 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/known_problems.txt 2009-12-19 07:35:30.000000000 -0800 @@ -1 +1 @@ -There are no known problems in Shorewall version 4.4.3 +There are no known problems in Shorewall version 4.4.5 diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/lib.base shorewall-4.4.5/lib.base --- shorewall-4.4.4/lib.base 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/lib.base 2009-12-19 07:35:30.000000000 -0800 @@ -220,7 +220,7 @@ [ -z "$MODULESDIR" ] && \ uname=$(uname -r) && \ - MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset MODULES=$(lsmod | cut -d ' ' -f1) @@ -259,7 +259,7 @@ [ -z "$MODULESDIR" ] && \ uname=$(uname -r) && \ - MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/lib.cli shorewall-4.4.5/lib.cli --- shorewall-4.4.4/lib.cli 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/lib.cli 2009-12-19 07:35:30.000000000 -0800 @@ -453,7 +453,9 @@ case "$1" in connections) [ $# -gt 1 ] && usage 1 - echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" + local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + echo "$PRODUCT $version Connections ($count out of $max) at $HOSTNAME - $(date)" echo [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack ;; @@ -728,7 +730,10 @@ heading "Raw Table" $IPTABLES -t raw -L $IPT_OPTIONS - heading "Conntrack Table" + local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + + heading "Conntrack Table ($count out of $max)" [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack heading "IP Configuration" diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/prog.footer6 shorewall-4.4.5/Perl/prog.footer6 --- shorewall-4.4.4/Perl/prog.footer6 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/prog.footer6 2009-12-19 07:35:30.000000000 -0800 @@ -79,7 +79,7 @@ [ -n "${PRODUCT:=Shorewall6}" ] -kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) +kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) if [ $kernel -lt 20624 ]; then error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" status=2 diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/prog.header shorewall-4.4.5/Perl/prog.header --- shorewall-4.4.4/Perl/prog.header 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/prog.header 2009-12-19 07:35:30.000000000 -0800 @@ -255,7 +255,7 @@ [ -z "$MODULESDIR" ] && \ uname=$(uname -r) && \ - MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset MODULES=$(lsmod | cut -d ' ' -f1) @@ -294,7 +294,7 @@ [ -z "$MODULESDIR" ] && \ uname=$(uname -r) && \ - MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/prog.header6 shorewall-4.4.5/Perl/prog.header6 --- shorewall-4.4.4/Perl/prog.header6 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/prog.header6 2009-12-19 07:35:30.000000000 -0800 @@ -268,7 +268,7 @@ [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/ MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do @@ -304,7 +304,7 @@ [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/ for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/Shorewall/Actions.pm shorewall-4.4.5/Perl/Shorewall/Actions.pm --- shorewall-4.4.4/Perl/Shorewall/Actions.pm 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/Shorewall/Actions.pm 2009-12-19 07:35:30.000000000 -0800 @@ -3,7 +3,7 @@ # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2007,2008 - Tom Eastep (teastep@shorewall.net) +# (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # @@ -57,7 +57,7 @@ $macro_commands ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.4_2'; +our $VERSION = '4.4_5'; # # Used Actions. Each action that is actually used has an entry with value 1. @@ -213,7 +213,7 @@ if ( $invocation ) { if ( $body ) { return $body if $invocation eq '-'; - return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/; + return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~{cmdlevel}; - for ( @_ ) { - push @{$chainref->{rules}}, join ('', $indentation , $_ ); - } + push @{$chainref->{rules}}, join ('', $indentation , $_ ) for @_; $chainref->{referenced} = 1; } @@ -2753,10 +2751,8 @@ add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; } else { # - # No exclusions -- save original chain + # No exclusions # - my $savechainref = $chainref; - for my $onet ( mysplit $onets ) { $onet = match_orig_dest $onet; for my $inet ( mysplit $inets ) { @@ -2765,11 +2761,6 @@ $source_match = match_source_net( $inet, $restriction ) if $capabilities{KLUDGEFREE}; for my $dnet ( mysplit $dnets ) { - # - # Restore original Chain - # - $chainref = $savechainref; - $source_match = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE}; my $dest_match = match_dest_net( $dnet ); my $predicates = join( '', $rule, $source_match, $dest_match, $onet ); @@ -2790,7 +2781,7 @@ # log_rule_limit( $loglevel , - $chainref = $logchainref , + $logchainref , $chain , $disposition , '', @@ -2798,7 +2789,7 @@ 'add', '' ); - add_rule( $chainref, $exceptionrule . $target ); + add_rule( $logchainref, $exceptionrule . $target ); } else { log_rule_limit( $loglevel , diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/Shorewall/Config.pm shorewall-4.4.5/Perl/Shorewall/Config.pm --- shorewall-4.4.4/Perl/Shorewall/Config.pm 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/Shorewall/Config.pm 2009-12-19 07:35:30.000000000 -0800 @@ -127,7 +127,7 @@ Exporter::export_ok_tags('internal'); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; # # describe the current command, it's present progressive, and it's completion. @@ -327,7 +327,7 @@ TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, - VERSION => "4.4.4", + VERSION => "4.4.5", CAPVERSION => 40402 , ); @@ -1908,7 +1908,7 @@ close LSMOD; - $config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX}; + $config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX}; my @suffixes = split /\s+/ , $config{MODULE_SUFFIX}; @@ -2029,7 +2029,13 @@ $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" ); $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH}; $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); - $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" ); + + if ( $family == F_IPV6 ) { + $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" ); + } else { + $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); + } + $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ); diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/Shorewall/IPAddrs.pm shorewall-4.4.5/Perl/Shorewall/IPAddrs.pm --- shorewall-4.4.4/Perl/Shorewall/IPAddrs.pm 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/Shorewall/IPAddrs.pm 2009-12-19 07:35:30.000000000 -0800 @@ -72,7 +72,7 @@ validate_icmp6 ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4_1'; +our $VERSION = '4.4_5'; # # Some IPv4/6 useful stuff @@ -302,7 +302,7 @@ my $value; if ( $port =~ /^(\d+)$/ ) { - return $port if $port <= 65535; + return $port if $port && $port <= 65535; } else { $proto = proto_name $proto if $proto =~ /^(\d+)$/; $value = getservbyname( $port, $proto ); @@ -485,16 +485,16 @@ return 0 unless ( @address == $max ) || $address =~ /::/; return 0 if $address =~ /:::/ || $address =~ /::.*::/; - if ( $address =~ /^:/ ) { - unless ( $address eq '::' ) { - return 0 if $address =~ /:$/ || $address =~ /^:.*::/; - } - } elsif ( $address =~ /:$/ ) { - return 0 if $address =~ /::.*:$/; + unless ( $address =~ /^::/ ) { + return 0 if $address =~ /^:/; } + unless ( $address =~ /::$/ ) { + return 0 if $address =~ /:$/; + } + for my $a ( @address ) { - return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 ); + return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 ); } 1; @@ -543,13 +543,27 @@ sub normalize_6addr( $ ) { my $addr = shift; - while ( $addr =~ tr/:/:/ < 6 ) { - $addr =~ s/::/:0::/; - } + if ( $addr eq '::' ) { + '0:0:0:0:0:0:0:0'; + } else { + # + # Suppress leading zeros + # + $addr =~ s/^0+//; + $addr =~ s/:0+/:/g; + $addr =~ s/^:/0:/; + $addr =~ s/:$/:0/; - $addr =~ s/::/:0:/; + $addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7; + # + # Note: "s/::/:0:/g" doesn't work here + # + 1 while $addr =~ s/::/:0:/; - $addr; + $addr =~ s/^0+:/0:/; + + $addr; + } } sub validate_6range( $$ ) { @@ -573,7 +587,7 @@ } sub validate_6host( $$ ) { - my ( $host, $allow_name ) = $_[0]; + my ( $host, $allow_name ) = @_; if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) { validate_6range $1, $2; diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/Shorewall/Rules.pm shorewall-4.4.5/Perl/Shorewall/Rules.pm --- shorewall-4.4.4/Perl/Shorewall/Rules.pm 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/Shorewall/Rules.pm 2009-12-19 07:35:30.000000000 -0800 @@ -46,7 +46,7 @@ compile_stop_firewall ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; # # Set to one if we find a SECTION @@ -322,7 +322,7 @@ $seq++; - my $rule = do_proto( $proto, $ports, $sports, 1 ); + my $rule = do_proto( $proto, $ports, $sports, 0 ); for my $host ( split /,/, $hosts ) { validate_host $host, 1; @@ -949,7 +949,7 @@ } # -# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If +# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # sub process_rule1 ( $$$$$$$$$$$$$ ) { @@ -960,10 +960,6 @@ my $actionchainref; my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0; - unless ( defined $param ) { - ( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/; - } - $param = '' unless defined $param; # @@ -972,7 +968,7 @@ my $actiontype = $targets{$basictarget} || find_macro( $basictarget ); if ( $config{ MAPOLDACTIONS } ) { - ( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless ( $actiontype || $param ); + ( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param; } fatal_error "Unknown action ($action)" unless $actiontype; @@ -1092,7 +1088,7 @@ $destref = defined_zone( $destzone ); if ( $destref ) { - warning_message "Destination zone ($destzone) ignored"; + warning_message "The destination zone ($destzone) is ignored in $log_action rules"; } else { $dest = join ':', $destzone, $dest; $destzone = ''; @@ -1133,6 +1129,9 @@ } $chain = rules_chain( ${sourcezone}, ${destzone} ); + # + # Ensure that the chain exists but don't mark it as referenced until after optimization is checked + # $chainref = ensure_chain 'filter', $chain; $policy = $chainref->{policy}; @@ -1237,10 +1236,10 @@ $origdest = ALLIP; } } - } else { - fatal_error "A server must be specified in the DEST column in $action rules" if $server eq ''; - - if ( $server =~ /^(.+)-(.+)$/ ) { + } else { + if ( $server eq '' ) { + fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport; + } elsif ( $server =~ /^(.+)-(.+)$/ ) { validate_range( $1, $2 ); } else { my @servers = validate_address $server, 1; @@ -1249,9 +1248,13 @@ if ( $action eq 'DNAT' ) { $target = '-j DNAT '; - $serverport = ":$serverport" if $serverport; - for my $serv ( split /,/, $server ) { - $target .= "--to-destination ${serv}${serverport} "; + if ( $server ) { + $serverport = ":$serverport" if $serverport; + for my $serv ( split /,/, $server ) { + $target .= "--to-destination ${serv}${serverport} "; + } + } else { + $target .= "--to-destination :$serverport "; } } @@ -1986,8 +1989,9 @@ next if $hostref->{options}{sourceonly}; if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { my $ipsec_out_match = match_ipsec_out $zone1 , $hostref; + my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain); for my $net ( @{$hostref->{hosts}} ) { - add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ); + add_jump $frwd_ref, $dest_exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match ); } } } @@ -2028,6 +2032,7 @@ for my $host1ref ( @$array1ref ) { next if $host1ref->{options}{sourceonly}; my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref; + my $dest_exclusion = dest_exclusion( $host1ref->{exclusions}, $chain ); for my $net1 ( @{$host1ref->{hosts}} ) { unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) { # @@ -2035,7 +2040,7 @@ # add_jump( $excl3ref , - dest_exclusion( $host1ref->{exclusions}, $chain ), + $dest_exclusion, 0, join( '', $match_source_dev, @@ -2316,7 +2321,7 @@ } } else { for my $interface ( all_bridges ) { - emit "do_iptables -A FORWARD -p 58 " . match_source_interface( $interface ) . match_dest_interface( $interface ) . "-j ACCEPT"; + emit "do_iptables -A FORWARD -p 58 " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "-j ACCEPT"; } if ( $config{IP_FORWARDING} eq 'on' ) { diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/Perl/Shorewall/Tc.pm shorewall-4.4.5/Perl/Shorewall/Tc.pm --- shorewall-4.4.4/Perl/Shorewall/Tc.pm 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/Perl/Shorewall/Tc.pm 2009-12-19 07:35:30.000000000 -0800 @@ -40,7 +40,7 @@ our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = '4.4_4'; +our $VERSION = '4.4_5'; our %tcs = ( T => { chain => 'tcpost', connmark => 0, @@ -651,7 +651,7 @@ $markval = numeric_value( $mark ); fatal_error "Invalid MARK ($markval)" unless defined $markval; - fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0xffff : 0xff ); + fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0x3fff : 0xff ); if ( $classnumber ) { fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber}; diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/releasenotes.txt shorewall-4.4.5/releasenotes.txt --- shorewall-4.4.4/releasenotes.txt 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/releasenotes.txt 2009-12-19 07:35:30.000000000 -0800 @@ -1,4 +1,4 @@ -Shorewall 4.4.4 +Shorewall 4.4.5 ---------------------------------------------------------------------------- R E L E A S E 4 . 4 H I G H L I G H T S @@ -169,46 +169,46 @@ now, if the zone has :0.0.0.0/0 (even with exclusions), then it may have no additional members in /etc/shorewall/hosts. -13) Because the 'track' provider option is so useful, it is now the - default. If, for some reason, you don't want 'track' then specify - 'notrack' for the provider. - ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 ---------------------------------------------------------------------------- -1) In some simple one-interface configurations, the following Perl - run-time error messages were issued: +1) The change which removed the 15 port limitation on + /etc/shorewall/routestopped was incomplete. The result was that if + more than 15 ports were listed, an error was generated. - Generating Rule Matrix... - Use of uninitialized value in concatenation (.) or string at - /usr/share/shorewall/Shorewall/Chains.pm line 649. - Use of uninitialized value in concatenation (.) or string at - /usr/share/shorewall/Shorewall/Chains.pm line 649. - Creating iptables-restore input... +2) If any interfaces had the 'bridge' option specified, compilation + failed with the error: -2) The Shorewall operations log (specified by STARTUP_LOG) is now - secured 0600. + Undefined subroutine &Shorewall::Rules::match_source_interface called + at /usr/share/shorewall/Shorewall/Rules.pm line 2319. -3) Previously, the compiler generated an incorrect test for interface - availability in the generated code for adding route rules. The - result was that the rules were always added, regardless of the - state of the provider's interface. Now, the rules are only added - when the interface is available. +3) The compiler now flags port number 0 as an error in all + contexts. Previously, port 0 was allowed with the result that + invalid iptables-restore input could be generated in some cases. -4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly - specified in /etc/shorewall/tcclasses, duplicate class numbers - result. A typical error message is: +4) The 'show policies' command now works in Shorewall6 and + Shorewall6-lite. - ERROR: Command "tc class add dev eth3 parent 1:1 classid - 1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500" - Failed +5) Traffic shaping modules from /lib/modules//net/sched/ are + now correctly loaded. Previously, that directory was not + searched. Additionally, Shorewall6 now tries to load the cls_flow + module; previously, only Shorewall attempts to load that module. - Note that the class ID of the class being added is a duplicate of - the parent's class ID. +6) The Shorewall6-lite shorecap program was previously including the + IPv4 base library rather than the IPv6 version. Also, Shorewall6 + capability detection was determing the availablity of the mangle + capability before it had determined if ip6tables was installed. - Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of - /etc/shorewall/tcclasses were rejected. +7) The setting of MODULE_SUFFIX was previously ignored except when + compiling for export. + +8) Detection of the Enhanced Reject capability in the compiler was + broken for IPv4 compilations. + +9) The 'reload -c' command would ignore the setting of DONT_LOAD in + shorewall.conf. The 'reload' command without '-c' worked as + expected. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G @@ -217,103 +217,37 @@ None. ---------------------------------------------------------------------------- - N E W F E A T U R E S I N 4 . 4 . 4 + N E W F E A T U R E S I N 4 . 4 . 5 ---------------------------------------------------------------------------- -1) The Shorewall packages now include a logrotate configuration file. +1) Shorewall now allows DNAT rules that change only the destination + port. -2) The limit of 15 entries in a port list has been relaxed in - /etc/shorewall/routestopped. - -3) The following seemingly valid configuration produces a fatal - error reporting "Duplicate interface name (p+)" - - /etc/shorewall/zones: - - #ZONE TYPE - fw firewall - world ipv4 - z1:world bport4 - z2:world bport4 - - /etc/shorewall/interfaces: - - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge - z1 br0:p+ - z2 br1:p+ - - This error occurs because the Shorewall implementation requires - that each bridge port must have a unique name. - - To work around this problem, a new 'physical' interface option has - been created. The above configuration may be defined using the - following in /etc/shorewall/interfaces: - - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge - z1 br0:x+ - physical=p+ - z2 br1:y+ - physical=p+ - - In this configuration, 'x+' is the logical name for ports p+ on - bridge br0 while 'y+' is the logical name for ports p+ on bridge - br1. - - If you need to refer to a particular port on br1 (for example - p1023), you write it as y1023; Shorewall will translate that name - to p1023 when needed. - - It is allowed to have a physical name ending in '+' with a logical - name that does not end with '+'. The reverse is not allowed; if the - logical name ends in '+' then the physical name must also end in - '+'. - - This feature is not restricted to bridge ports. Beginning with this - release, the interface name in the INTERFACE column can be - considered a logical name for the interface, and the actual - interface name is specified using the 'physical' option. If no - 'physical' option is present, then the physical name is assumed to - be the same as the logical name. As before, the logical interface - name is used throughout the rest of the configuration to refer to - the interface. - -4) Previously, Shorewall has used the character '2' to form the name - of chains involving zones and/or the word 'all' (e.g., fw2net, - all2all). When zones names are given numeric suffixes, these - generated names are hard to read (e.g., foo1232bar). To make these - names clearer, a ZONE2ZONE option has been added. - - ZONE2ZONE has a default value of "2" but can also be given the - value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate - the two parts of the name with a hyphen (e.g., foo123-bar). - -5) Only one instance of the following warning is now generated; - previously, one instance of a similar warning was generated for - each COMMENT encountered. + Example: - COMMENTs ignored -- require comment support in iptables/Netfilter + DNAT loc net::456 udp 234 -6) The shorewall and shorewall6 utilities now support a 'show - policies' command. Once Shorewall or Shorewall6 has been restarted - using a script generated by this version, the 'show policies' - command will list each pair of zones and give the applicable - policy. If the policy is enforced in a chain, the name of the chain - is given. + That rule will modify the destination port in UDP packets received + from the 'loc' zone from 456 to 234. Note that if the destination + is the firewall itself, then the destination port will be rewritten + but that no ACCEPT rule from the loc zone to the $FW zone will have + been created to handle the request. So such rules should probably + exclude the firewall's IP addresses in the ORIGINAL DEST column. + +2) Systems that do not log Netfilter messages locally can now set + LOGFILE=/dev/null in shorewall.conf. + +3) The 'shorewall show connections' and 'shorewall dump' commands now + display the current number of connections and the max supported + connections. Example: - net => loc DROP using chain net2all - - Note that implicit intrazone ACCEPT policies are not displayed for - zones associated with a single network where that network - doesn't specify 'routeback'. - -7) The 'show' and 'dump' commands now support an '-l' option which - causes chain displays to include the rule number of each rule. + shorewall show connections + Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ... - (Type 'iptables -h' and look for '--line-number') + In that case, there were 62 current connections out of a maximum + number supported of 65536. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 @@ -965,6 +899,89 @@ ip6tables in the same directory as the discovered iptables will be used. +28) A 'flow=' option has been added to the + /etc/shorewall/tcclasses OPTIONS column. + + Shorewall attaches an SFQ queuing discipline to each leaf HTB + and HFSC class. SFQ ensures that each flow gets equal access to the + interface. The default definition of a flow corresponds roughly to + a Netfilter connection. So if one internal system is running + BitTorrent, for example, it can have lots of 'flows' and can thus + take up a larger share of the bandwidth than a system having only a + single active connection. The flow classifier (module cls_flow) + works around this by letting you define what a 'flow' is. + + The clasifier must be used carefully or it can block off all + traffic on an interface! + + The flow option can be specified for an HTB or HFSC leaf class (one + that has no sub-classes). We recommend that you use the following: + + Shaping internet-bound traffic: flow=nfct-src + Shaping traffic bound for your local net: flow=dst + + These will cause a 'flow' to consists of the traffic to/from each + internal system. + + When more than one key is give, they must be enclosed in + parenthesis and separated by commas. + + To see a list of the possible flow keys, run this command: + + tc filter add flow help + + Those that begin with "nfct-" are Netfilter connection tracking + fields. As shown above, we recommend flow=nfct-src; that means that + we want to use the source IP address before SNAT as the key. + + Note: Shorewall cannot determine ahead of time if the flow + classifier is available in your kernel (especially if it was built + into the kernel as opposed to being loaded as a + module). Consequently, you should check ahead of time to ensure + that both your kernel and 'tc' utility support the feature. + + You can test the 'tc' utility by typing (as root): + + tc filter add flow help + + If flow is supported, you will see: + + Usage: ... flow ... + + [mapping mode]: map key KEY [ OPS ] ... + [hashing mode]: hash keys KEY-LIST ... + + ... + + If flow is not supported, you will see: + + Unknown filter "flow", hence option "help" is unparsable + + If your kernel supports module autoloading, just type (as root): + + modprobe cls_flow + + If 'flow' is supported, no output is produced; otherwise, you will + see: + + FATAL: Module cls_flow not found. + + If your kernel is not modularized or does not support module + autoloading, look at your kernel configuration (either + /proc/config.gz or the .config file in + /lib/modules//build/ + + If 'flow' is supported, you will see: + + NET_CLS_FLOW=m + + or + + NET_CLS_FLOW=y + + For modularized kernels, Shorewall will attempt to load + /lib/modules//net/sched/cls_flow.ko by default. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 ---------------------------------------------------------------------------- @@ -1215,3 +1232,138 @@ exceeding this limit are dropped. The default value is 127 which is the value that earlier versions of Shorewall used. The option is ignored with a warning if the 'pfifo' option has been specified. +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 +---------------------------------------------------------------------------- + +1) In some simple one-interface configurations, the following Perl + run-time error messages were issued: + + Generating Rule Matrix... + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Chains.pm line 649. + Use of uninitialized value in concatenation (.) or string at + /usr/share/shorewall/Shorewall/Chains.pm line 649. + Creating iptables-restore input... + +2) The Shorewall operations log (specified by STARTUP_LOG) is now + secured 0600. + +3) Previously, the compiler generated an incorrect test for interface + availability in the generated code for adding route rules. The + result was that the rules were always added, regardless of the + state of the provider's interface. Now, the rules are only added + when the interface is available. + +4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly + specified in /etc/shorewall/tcclasses, duplicate class numbers + result. A typical error message is: + + ERROR: Command "tc class add dev eth3 parent 1:1 classid + 1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500" + Failed + + Note that the class ID of the class being added is a duplicate of + the parent's class ID. + + Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of + /etc/shorewall/tcclasses were rejected. + +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 4 +---------------------------------------------------------------------------- + +1) The Shorewall packages now include a logrotate configuration file. + +2) The limit of 15 entries in a port list has been relaxed in + /etc/shorewall/routestopped. + +3) The following seemingly valid configuration produces a fatal + error reporting "Duplicate interface name (p+)" + + /etc/shorewall/zones: + + #ZONE TYPE + fw firewall + world ipv4 + z1:world bport4 + z2:world bport4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:p+ + z2 br1:p+ + + This error occurs because the Shorewall implementation requires + that each bridge port must have a unique name. + + To work around this problem, a new 'physical' interface option has + been created. The above configuration may be defined using the + following in /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:x+ - physical=p+ + z2 br1:y+ - physical=p+ + + In this configuration, 'x+' is the logical name for ports p+ on + bridge br0 while 'y+' is the logical name for ports p+ on bridge + br1. + + If you need to refer to a particular port on br1 (for example + p1023), you write it as y1023; Shorewall will translate that name + to p1023 when needed. + + It is allowed to have a physical name ending in '+' with a logical + name that does not end with '+'. The reverse is not allowed; if the + logical name ends in '+' then the physical name must also end in + '+'. + + This feature is not restricted to bridge ports. Beginning with this + release, the interface name in the INTERFACE column can be + considered a logical name for the interface, and the actual + interface name is specified using the 'physical' option. If no + 'physical' option is present, then the physical name is assumed to + be the same as the logical name. As before, the logical interface + name is used throughout the rest of the configuration to refer to + the interface. + +4) Previously, Shorewall has used the character '2' to form the name + of chains involving zones and/or the word 'all' (e.g., fw2net, + all2all). When zones names are given numeric suffixes, these + generated names are hard to read (e.g., foo1232bar). To make these + names clearer, a ZONE2ZONE option has been added. + + ZONE2ZONE has a default value of "2" but can also be given the + value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate + the two parts of the name with a hyphen (e.g., foo123-bar). + +5) Only one instance of the following warning is now generated; + previously, one instance of a similar warning was generated for + each COMMENT encountered. + + COMMENTs ignored -- require comment support in iptables/Netfilter + +6) The shorewall and shorewall6 utilities now support a 'show + policies' command. Once Shorewall or Shorewall6 has been restarted + using a script generated by this version, the 'show policies' + command will list each pair of zones and give the applicable + policy. If the policy is enforced in a chain, the name of the chain + is given. + + Example: + + net => loc DROP using chain net2all + + Note that implicit intrazone ACCEPT policies are not displayed for + zones associated with a single network where that network + doesn't specify 'routeback'. + +7) The 'show' and 'dump' commands now support an '-l' option which + causes chain displays to include the rule number of each rule. + + (Type 'iptables -h' and look for '--line-number') diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/shorewall shorewall-4.4.5/shorewall --- shorewall-4.4.4/shorewall 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/shorewall 2009-12-19 07:35:30.000000000 -0800 @@ -73,7 +73,7 @@ if [ -n "$(syslog_circular_buffer)" ]; then LOGREAD="logread | tac" - elif [ -f $LOGFILE ]; then + elif [ -r $LOGFILE ]; then LOGREAD="tac $LOGFILE" else echo "LOGFILE ($LOGFILE) does not exist!" >&2 @@ -1231,8 +1231,10 @@ ensure_config_path fi + [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')" + progress_message "Getting Capabilities on system $system..." - if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then + if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then fatal_error "ERROR: Capturing capabilities on system $system failed" fi fi diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/shorewall.spec shorewall-4.4.5/shorewall.spec --- shorewall-4.4.4/shorewall.spec 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/shorewall.spec 2009-12-19 07:35:30.000000000 -0800 @@ -1,5 +1,5 @@ %define name shorewall -%define version 4.4.4 +%define version 4.4.5 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -106,7 +106,9 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog -* Fri Nov 13 2009 Tom Eastep tom@shorewall.net +* Fri Nov 27 2009 Tom Eastep tom@shorewall.net +- Updated to 4.4.5-0base +* Sat Nov 21 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0base * Fri Nov 13 2009 Tom Eastep tom@shorewall.net - Updated to 4.4.4-0Beta2 diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.4/uninstall.sh shorewall-4.4.5/uninstall.sh --- shorewall-4.4.4/uninstall.sh 2009-11-21 07:54:42.000000000 -0800 +++ shorewall-4.4.5/uninstall.sh 2009-12-19 07:35:30.000000000 -0800 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.4 +VERSION=4.4.5 usage() # $1 = exit status {