On 09/04/2012 03:30 PM, Mr Dash Four wrote: > >> 1) When the new shorewallrc file was installed (such as from the RPM), >> VARDIR was being interpreted the same as VARLIB in the CLI. In >> a generated script, VARDIR was being set to $VARDIR/$PRODUCT. > This now works as expected. However, when I execute "shorewall compile" or > "shorewall compile test" both routestopped and stoppedrules files are > ignored. In the resulting filrewall script I have this instead:
this is very hard to explain: Here's the output that I get, with or
without the "routestopped" file present:
#
# Generated by Shorewall 4.5.8-Beta2 - Tue Sep 4 15:49:41 2012
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p 41 -i eth1 -j NOTRACK
-A OUTPUT -p 41 -o eth1 -j NOTRACK
COMMIT
*rawpost
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 172.20.1.0/24 -i eth2 -j ACCEPT
-A INPUT -p 41 -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 67:68 -i eth2 -j ACCEPT
-A INPUT -p udp --dport 67:68 -i eth0 -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp --dport 67:68 -i eth2 -o eth2 -j ACCEPT
-A FORWARD -p udp --dport 67:68 -i eth0 -o eth0 -j ACCEPT
COMMIT
>
> Again, I *do* have rules in the new stoppedrules file, though my routestopped
> file is non-existent. My config path is
> "${CONFDIR}/shorewall:${SHAREDIR}/shorewall" (routestopped isn't present in
> either of these locations, only stoppedrules is in ${CONFDIR}/shorewall).
>
When compiling, do you see the line of output flagged below:
Optimizing Ruleset...
Creating iptables-restore input...
Compiling /etc/shorewall/stoppedrules... <===============
Shorewall configuration compiled to /var/lib/shorewall/firewall
>>
>> 1) Both the "routestopped" and "stoppedrules" file are being processed
>> currently and in that order. It would be more appropriate to
>> process "stoppedrules" first and then process "routestopped" only
>> if "stoppedrules" contained no rules.
> That is indeed the case, with a bit of a twist! For the purpose of testing
> this, I have the following files:
I've attached the patch that implements the above behavior. See what
happens with that patch applied.
>
> routestopped
> ~~~~~~~~~~~~
> eth0 10.1.1.1 - tcp 22
>
> stoppedrules
> ~~~~~~~~~~~~
> ACCEPT $FW:+source-port +mickey-mouse-net[dst,dst]
> ACCEPT +destination-port $FW:+my-net[dst,dst]
>
> In the resulting script, I see the following section:
>
> #
> # Generated by Shorewall 4.5.8-Beta2 - Tue Sep 4 22:58:34 2012
> #
> *raw
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p 6 --dport 22 -s 10.1.1.1 -i eth0 -j ACCEPT
> -A INPUT -m set --match-set destination-port src -m set --match-set my-net
> dst,dst -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> -A OUTPUT -m set --match-set source-port src -m set --match-set
> mickey-mouse-net dst,dst -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> COMMIT
>
> What is interesting here (apart from the fact that both files were processed)
> is that for routestopped only INPUT was altered even though I specified a
> dash (-) - is that how it is supposed to work?
No. I may have broken the processing of routestopped; I'll take a look.
>
> My own opinion is that you should adopt the same approach you did with
> blacklist/blrules - issue a warning if both files are present (and process
> only stoppedrules) or simply process routestopped if stoppedrules isn't
> present.
If both are present, then routestopped must be the one processed.
Otherwise, an upgrade can't install stoppedrules.
>
> Apart from the above issues, from my previous list, I am not sure whether
> issue 5 has been fixed.
It's not yet fixed.
>
> The outstanding issues are how you decide to tackle the 'dhcp' option in
> interfaces, specifying multiple UIDs separated with commas within a rule, as
> well as including an option in shorewall-init to compile the shorewall script
> prior to executing it. I think that's about it. Have I missed anything?
>
Part of the shorewall-init work is complete. The init scripts all
compile the firewall if it doesn't exist; not so yet with the ifupdown
script.
I'm going to be out of town for the rest of the week but I'll get back
to this over the weekend.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
commit eb854f1dbe4b13d444c30ef361c3421deeb37828 Author: Tom Eastep <[email protected]> Date: Tue Sep 4 08:46:04 2012 -0700 Only process routestopped when stoppedrules does not exist or is empty Signed-off-by: Tom Eastep <[email protected]> diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index e7974da..35e6249 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -691,19 +691,22 @@ sub process_routestopped() { } # -# Process the stoppedrules file +# Process the stoppedrules file. Returns true if the file was non-empty. # sub process_stoppedrules() { my $fw = firewall_zone; + my $result; if ( my $fn = open_file 'stoppedrules' ) { first_entry "$doing $fn..."; while ( read_a_line( NORMAL_READ ) ) { + $result = 1; + my ( $target, $source, $dest, $proto, $ports, $sports ) = split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 }; - + fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/; my $tableref; @@ -719,13 +722,13 @@ sub process_stoppedrules() { } else { $tableref = $filter_table; } - + if ( $source eq $fw ) { $chainref = $tableref->{OUTPUT}; $source = ''; $restriction = OUTPUT_RESTRICT; } - + if ( $source =~ s/^($fw):// ) { $chainref = $filter_table->{OUTPUT}; $restriction = OUTPUT_RESTRICT; @@ -737,7 +740,7 @@ sub process_stoppedrules() { $dest = ''; $restriction = INPUT_RESTRICT; } - + if ( $dest =~ s/^($fw):// ) { fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK'; $chainref = $filter_table->{INPUT}; @@ -747,7 +750,7 @@ sub process_stoppedrules() { $chainref = $tableref->{FORWARD} unless $chainref; my $disposition = $target; - + $target = 'CT --notrack' if $target eq 'NOTRACK' and have_capability( 'CT_TARGET' ); unless ( $restriction == OUTPUT_RESTRICT @@ -768,6 +771,8 @@ sub process_stoppedrules() { } clear_comment; + + $result; } sub setup_mss(); @@ -2517,8 +2522,7 @@ EOF } } - process_routestopped; - process_stoppedrules; + process_routestopped unless process_stoppedrules; add_ijump $input, j => 'ACCEPT', i => 'lo'; add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
