Shorewall-perl

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2009/06/21

Table of Contents

Shorewall-perl - What is it?

Shorewall-perl - The down side

Incompatibilities
Dependence on Perl

Installing Shorewall Version 4.0 or 4.2

Compiler Selection (Shorewall 4.0-4.2)

The Shorewall Perl Modules

/usr/share/shorewall-perl/compiler.pl

Shorewall::Compiler

Shorewall 4.0
Shorewall 4.2 and Later

Shorewall::Chains

Shorewall::Config

Shorewall-perl - What is it?

Shorewall-perl was released as a companion product to Shorewall in Shorewall 4.0.0.

Shorewall-perl contained a re-implementation of the Shorewall compiler written in Perl. The advantages of using Shorewall-perl over Shorewall-shell (the shell-based compiler included in earlier Shorewall 3.x releases) were:

The Shorewall-perl compiler was much faster.
The script generated by the compiler used iptables-restore to instantiate the Netfilter configuration. So it ran much faster than the script generated by the Shorewall-shell compiler and did not stop new connections during shorewall restart.
The Shorewall-perl compiler did more thorough checking of the configuration than the Shorewall-shell compiler did.
The error messages produced by the compiler were better, more consistent and always included the file name and line number where the error was detected.
Going forward, the Shorewall-perl compiler got all enhancements; the Shorewall-shell compilerl only got those enhancements that were easy to retrofit.

Beginning with Shorewall 4.3.5, Shorewall-perl is an integral part of Shorewall and support for Shorewall-shell has been discontinued.

Shorewall-perl - The down side

While there are significant advantages to using Shorewall-perl, there are also disadvantages.

Incompatibilities

There are a number of incompatibilities between the Shorewall-perl compiler and the earlier one.

The Perl-based compiler requires multiport match in your kernel and iptables.
BRIDGING=Yes is not supported. The kernel code necessary to support this option was removed in Linux kernel 2.6.20. Alternative bridge support is provided by Shorewall-perl.
DYNAMIC_ZONES=Yes is not supported in Shorewall-perl 4.2. Use an ipset to define your dytnamic zones. In Shorewall 4.4, dynamic zone support based on ipsets was added to Shorewall.
The BROADCAST column in the interfaces file is essentially unused if your kernel/iptables has Address Type Match support. If that support is present and you enter anything in this column but '-' or 'detect', you will receive a warning.
The 'refresh' command is now similar to restart with the exceptions that:
- The command fails if Shorewall is not running.
- A directory name cannot be specified in the command.
- The refresh command does not alter the Netfilter configuration except for the static blacklist (it also refreshes the mangle table, beginning with Shorewall 4.2.0).

With the shell-based compiler, extension scripts were copied into the compiled script and executed at run-time. In many cases, this approach doesn't work with Shorewall Perl because (almost) the entire rule set is built by the compiler. As a result, Shorewall-perl runs some extension scripts at compile-time rather than at run-time. Because the compiler is written in Perl, your extension scripts from earlier versions will no longer work.

The following table summarizes when the various extension scripts are run:

Compile-time (Must be written in Perl)	Run-time	Eliminated
initdone	clear	continue
maclog	start
Per-chain (including those associated with actions)	started
	stop
	stopped
	tcclear

Compile-time extension scripts are executed using the Perl 'eval `cat <file>`' mechanism. Be sure that each script returns a 'true' value; otherwise, the Shorweall-perl compiler will assume that the script failed and will abort the compilation.

When a script is invoked, the $chainref scalar variable will usually hold a reference to a chain table entry.

$chainref->{name} contains the name of the chain

$chainref->{table} holds the table name

To add a rule to the chain:

add_rule $chainref, the-rule

Where

the rule is a scalar argument holding the rule text. Do not include "-A chain-name"

Example:

add_rule $chainref, '-j ACCEPT';

To insert a rule into the chain:

insert_rule $chainref, rulenum, the-rule

The log_rule_limit function works like it does in the shell compiler with three exceptions:

You pass the chain reference rather than the name of the chain.
The commands are 'add' and 'insert' rather than '-A' and '-I'.
There is only a single "pass as-is to iptables" argument (so you must quote that part

Example:

    log_rule_limit
              'info' , 
              $chainref , 
              $chainref->{name},
              'DROP' , 
              '',    #Limit
              '' ,   #Log tag
              'add'
              '-p tcp ';

Here is an example of an actual initdone script used with Shorewall 3.4:

run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50
run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT
run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT

Here is the corresponding script used with Shorewall-perl:

use Shorewall::Chains;

insert_rule $mangle_table->{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50";
insert_rule $filter_table->{INPUT},      1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT";
insert_rule $filter_table->{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";

1;

The initdone script is unique because the $chainref variable is not set before the script is called. The above script illustrates how the $mangle_table, $filter_table, and $nat_table references can be used to add or insert rules in arbitrary chains.

The /etc/shorewall/tos file now has zone-independent SOURCE and DEST columns as do all other files except the rules and policy files.
The SOURCE column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
$FW[:<address>[,...]]
The DEST column may be one of the following:
[all:]<address>[,...]
[all:]<interface>[:<address>[,...]]
This is a permanent change. The old zone-based rules have never worked right and this is a good time to replace them. I've tried to make the new syntax cover the most common cases without requiring change to existing files. In particular, it will handle the tos file released with Shorewall 1.4 and earlier.
Shorewall-perl insists that ipset names begin with a letter and be composed of alphanumeric characters and underscores (_). When used in a Shorewall configuration file, the name must be preceded by a plus sign (+) as with the shell-based compiler.
Shorewall is now out of the ipset load/reload business with the exception of ipsets used for dynamic zones. With scripts generated by the Perl-based Compiler, the Netfilter rule set is never cleared. That means that there is no opportunity for Shorewall to load/reload your ipsets since that cannot be done while there are any current rules using ipsets.
So:
1. Your ipsets must be loaded before Shorewall starts. You are free to try to do that with the following code in /etc/shorewall/init (it works for me; your mileage may vary):
```
if [ "$COMMAND" = start ]; then
    ipset -U :all: :all:
    ipset -U :all: :default:
    ipset -F
    ipset -X
    ipset -R < /etc/shorewall/ipsets
fi
```
  The file /etc/shorewall/ipsets will normally be produced using the ipset -S command. I have this in my/etc/shorewall/stop file:
```
if ipset -S > /etc/shorewall/ipsets.tmp; then
    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
fi
```
  The above extension scripts will work most of the time but will fail in a shorewall stop - shorewall start sequence if you use ipsets in your routestopped file (see below).
2. Your ipsets may not be reloaded until Shorewall is stopped or cleared.
3. If you specify ipsets in your routestopped file then Shorewall must be cleared in order to reload your ipsets.
As a consequence, scripts generated by the Perl-based compiler will ignore /etc/shorewall/ipsets and will issue a warning if you set SAVE_IPSETS=Yes in shorewall.conf.
Because the configuration files (with the exception of /etc/shorewall/params) are now processed by the Shorewall-perl compiler rather than by the shell, only the basic forms of Shell expansion ($variable and ${variable}) are supported. The more exotic forms such as ${variable:=default} are not supported. Both variables defined in /etc/shorewall/params and environmental variables (exported by the shell) can be used in configuration files.
USE_ACTIONS=No is not supported. That option is intended to minimize Shorewall's footprint in embedded applications. As a consequence, Default Macros are not supported by Shorewall-perl.
DELAYBLACKLISTLOAD=Yes is not supported. The entire rule set is atomically loaded with one execution of iptables-restore.
MAPOLDACTIONS=Yes is not supported. People should have converted to using macros by now.
The pre Shorewall-3.0 format of the zones file is not supported (IPSECFILE=ipsec); neither is the /etc/shorewall/ipsec file.
BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This combination doesn't work in previous versions of Shorewall so the Perl-based compiler simply rejects it.
Shorewall-perl has a single rule generator that is used for all rule-oriented files. This implementation enforces consistency of syntax between files.
With shorewall-shell, there is a special syntax in the SOURCE column of /etc/shorewall/masq to designate "all traffic entering the firewall on this interface except...".
Example:
```
#INTERFACE       SOURCE                  ADDRESSES
eth0             eth1!192.168.4.9        ...
```
Shorewall-perl uses syntax that is consistent with the rest of Shorewall:
```
#INTERFACE       SOURCE                  ADDRESSES
eth0             eth1:!192.168.4.9       ...
```
The 'allowoutUPnP' built-in action is no longer supported. In kernel 2.6.14, the Netfilter team have removed support for '-m owner --owner-cmd' which that action depended on.
The PKTTYPE option is ignored by Shorewall-perl. Shorewall-perl will use Address type match if it is available; otherwise, it will behave as if PKTTYPE=No had been specified.
Shorewall-perl detects dead policy file entries that result when an entry is masked by an earlier more general entry.
Example:
```
#SOURCE DEST     POLICY    LOG LEVEL
all     all      REJECT    info
loc     net      ACCEPT
```
Shorewall-shell silently accepts the above even though the loc->net policy is useless. Shorewall-perl generates a fatal compilation error.
In the SOURCE column of the rules file, when an interface name is followed by a list of IP addresses, the behavior of Shorewall-perl differs from that of Shorewall-shell.
Example:
```
#ACTION SOURCE                                 DEST PROTO DEST
#                                                         PORT(S)
ACCEPT  loc:eth0:192.168.1.3,192.168.1.5       $FW  tcp   22
```
With Shorewall-shell, this rule accepts SSH connection to the firewall from 192.168.1.3 through eth0 or from 192.168.1.5 through any interface. With Shorewall-perl, the rule accepts SSH connections through eth0 from 192.168.1.3 and through eth0 from 192.168.1.5. Shorewall-shell supports this syntax that gives the same result as Shorewall-perl.
```
#ACTION SOURCE                                 DEST PROTO DEST
#                                                         PORT(S)
ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5   $fw  tcp   22
```
Shorewall-perl does not support this alternative syntax.

Shorewall-perl gives a warning if a zone name is entered in the DEST column of a nonat rule. Nonat rules include:

DNAT-
REDIRECT-
NONAT

So rather than this:

#ACTION            SOURCE             DEST             PROTO        DEST PORT(S)
DNAT-              net                loc:192.168.1.3  tcp          21

you instead want:

#ACTION            SOURCE             DEST             PROTO        DEST PORT(S)
DNAT-              net                192.168.1.3      tcp          21

Supplying an interface name in the SOURCE column of /etc/shorewall/masq is deprecated as of Shorewall 4.4. Entering the name of an interface there will result in a compile-time warning:
WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts
To avoid this warning, replace interface names by the corresponding network addresses (e.g., 192.168.144.0/24).

Dependence on Perl

Shorewall-perl is dependent on Perl which has a large disk footprint. This makes Shorewall-perl less desirable in an embedded environment. The best way to work around this limitation is to install Shorewall-perl on an administrative system and employ Shorewall-lite on your embedded systems. Shorewall-perl will run on Windows under Cygwin. Install using the install.sh script.

Installing Shorewall Version 4.0 or 4.2

Shorewall 4.2 contains six packages, four of which are also included in Shorewall 4.0:

Shorewall-shell - the old shell-based compiler and related components.
Shorewall-perl - the new Perl-based compiler.
Shorewall-common - the part of Shorewall common to both compilers.
Shorewall-lite- same as the 3.4 version of Shorewall Lite. Can run scripts generated by either Shorewall-perl or Shorewall-shell.
Shorewall6 - The utilities for creating and operating an Ipv6 firewall. Requires Shorewall-perl and Shorewall-common. Introduced in Shorewall 4.2.4.
Shorewall6-lite - Ipv6 equivalent of Shorewall Lite. Can run scripts generated by Shoreall-perl 4.2.4 and later.

If you upgrade to Shorewall Version 4.0 or 4.2, you must install Shorewall-shell and/or Shorewall-perl; in fact, if you are using the tarball for your installation, you must install Shorewall-shell and/or Shorewall-perl before you upgrade Shorewall. See the upgrade issues for details.

Compiler Selection (Shorewall 4.0-4.2)

If you only install one compiler, then that compiler will be used.

If you install both compilers, then the compiler actually used for IPv4 depends on the SHOREWALL_COMPILER setting in shorewall.conf.

The value of this new option can be either 'perl' or 'shell'.

If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shorewall.conf then by default, the new compiler will be used on the system. If you add it to shorewall.conf in a separate directory (such as a Shorewall-lite export directory) then the new compiler will only be used when you compile from that directory.

If you only install one compiler, it is suggested that you do not set SHOREWALL_COMPILER.

If both compilers are installed, you can select the compiler to use on the command line using the 'C option:

'-C shell' means use the shell compiler

'-C perl' means use the perl compiler

The -C option overrides the setting in shorewall.conf.

Example:

shorewall restart -C perl

When the Shorewall-perl compiler has been selected, the params file is processed using the shell -a option which causes all variables set within the file to be exported automatically by the shell. The Shorewall-perl compiler uses the current environmental variables to perform variable expansion within the other Shorewall configuration files.

The Shorewall Perl Modules

Shorewall's Perl modules are installed in /usr/share/shorewall-perl/Shorewall and the names of the packages are of the form Shorewall::name. So by using this directive

use lib '/usr/share/shorewall-perl';

You can then load the modules via normal Perl use statements.

/usr/share/shorewall-perl/compiler.pl

While the compiler is normally run indirectly using /sbin/shorewall, it can be run directly as well.

compiler.pl [ option ... ] [ filename ]

If a filename is given, then the configuration will be compiled and the output placed in the named file. If filename is not given, then the configuration will simply be syntax checked.

Options are:

-v<verbosity>

--verbosity=<verbosity>

The <verbosity> is a number between 0 and 2 and corresponds to the VERBOSITY setting in shorewall.conf. This setting controls the verbosity of the compiler itself.

Note

The VERBOSITY setting in the shorewall.conf file read by the compiler will determine the default verbosity for the compiled program.

-e

--export

If given, the configuration will be compiled for export to another system.

-d <directory>

--directory=<directory>

If this option is omitted, the configuration in /etc/shorewall is compiled/checked. Otherwise, the configuration in the named directory will be compiled/checked.

-t

--timestamp

If given, each progress message issued by the compiler and by the compiled program will be timestamped.

--debug

If given, when a warning or error message is issued, it is supplemented with a stack trace. Requires the Carp Perl module.

--refresh=<chainlist>

If given, the compiled script's 'refresh' command will refresh the chains in the comma-separated <chainlist> rather than 'blacklst'.

--log=<logfile>

Added in Shorewall 4.2. If given, compiler will log to this file provider that --log_verbosity is > -1.

--log_verbosity=-1|0|1|2

Added in Shorewall 4.1. If given, controls the verbosity of logging to the log specified by the --log parameter.

--family=4|6

Added in Shorewall 4.2.4. Specifies whether an IPv4 or an IPv6 firewall is to be created.

Example (compiles the configuration in the current directory generating a script named 'firewall' and using VERBOSITY 2).

/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall

Note

The Perl-based compiler does not process /etc/shorewall/params. To include definitions in that file, you would need to do something like the following:

. /usr/share/shorewall/lib.base  # In case /etc/shorewall/params does INCLUDE
set -a                           # Export all variables set in /etc/shorewall/params
. /etc/shorewall/params
set +a
/usr/share/shorewall-perl/compiler.pl ...

Shorewall::Compiler

Shorewall 4.0

 use lib '/usr/share/shorewall-perl';
 use Shorewall::Compiler;
        
 compiler $filename, $directory, $verbose, $options $chains

Arguments to the compiler are:

$filename

Name of the compiled script to be created. If the arguments evaluates to false, the configuration is syntax checked.

$directory

The directory containing the configuration. If passed as '', then /etc/shorewall/ is assumed.

$verbose

The verbosity level that the compiler will run with (0-2).

Note

The VERBOSITY setting in the shorewall.conf file read by the compiler will determine the default verbosity for the compiled program.

$options

A bitmap of options. Shorewall::Compiler exports three constants to help building this argument:

EXPORT = 0x01

TIMESTAMP = 0x02

DEBUG = 0x04

$chains

A comma-separated list of chains that the generated script's 'refresh' command will reload. If passed as an empty string, then 'blacklist' is assumed.

The compiler raises an exception with 'die' if it encounters an error; $@ contains the 'ERROR' messages describing the problem. The compiler function can be called repeatedly with different inputs.

Shorewall 4.2 and Later

To avoid a proliferation of parameters to Shorewall::Compiler::compile(), that function has been changed to use named parameters. Parameter names are:

object: Object file. If omitted or '', the configuration is syntax checked.
directory: Directory. If omitted or '', configuration files are located using CONFIG_PATH. Otherwise, the directory named by this parameter is searched first.
verbosity: Verbosity; range -1 to 2
timestamp: 0|1 -- timestamp messages.
debug: 0|1 -- include stack trace in warning/error messages.
export: 0|1 -- compile for export.
chains: List of chains to be reloaded by 'refresh'
log: File to log compiler messages to.
log_verbosity: Log Verbosity; range -1 to 2.
family: Address family: 4 or 6

Those parameters that are supplied must have defined values. Defaults are:

object '' ('check' command)

directory ''

verbosity 1

timestamp 0

debug 0

export 0

chains ''

log ''

log_verbosity -1

family 4

Example:

use lib '/usr/share/shorewall-perl/';
use Shorewall::Compiler;

compiler( object => '/root/firewall', log => '/root/compile.log', log_verbosity => 2 );

Shorewall::Chains

use lib '/usr/share/shorewall-perl';
use Shorewall::Chains;

my $chainref1 = chain_new $table, $name1;
add_rule $chainref1, $rule;
insert_rule $chainref1, $ordinal, $rule;
my $chainref2 = new_manual_chain $name3;
my $chainref3 = ensure_manual_chain $name;
log_rule_limit $level, $chainref3, $name, $disposition, $limit, $tag, $command, $predicates;


my $chainref4 = $chain_table{$table}{$name};
my $chainref5 = $nat_table{$name};
my $chainref6 = $mangle_table{$name};
my $chainref7 = $filter_table{$name};

Shorewall::Chains is Shorewall-perl's interface to iptables/netfilter. It creates a chain table (%chain_table) which is populated as the various tables are processed. The table (actually a hash) is two-dimensional with the first dimension being the Netfilter table name (raw, mangle, nat and filter) and the second dimension being the chain name. Each table is a hash reference -- the hash defines the attributes of the chain. See the large comment at the beginning of the module (/usr/share/shorewall-perl/Shorewall/Chains.pm).

The module export the chain table along with three hash references into the table:

$nat_table: Reference to the 'nat' portion of the table ($chain_table{nat}). This is a hash whose key is the chain name. This variable is not set when an IPv6 firewall is being created.
$mangle_table: Reference to the 'mangle' portion of the table ($chain_table{mangle}). This is a hash whose key is the chain name.
$filter: Reference to the 'filter' portion of the table ($chain_table{filter}). This is a hash whose key is the chain name.

You can create a new chain in any of the tables using new_chain(). Arguments to the function are:

$table: 'nat', 'mangle', or 'filter'.
$name: Name of the chain to create.

The function creates a hash at $chain_table{$table}{$name} and populates the hash with default values. A reference to the hash is returned.

Each chain table entry includes a list of rules to be added to the chain. These rules are written to the iptables-restore input file when the resulting script is executed. To append a rule to that list, call add_rule(). Arguments are:

$chainref: A reference to the chain table entry.
$rule: The rule to add. Do not include the leading '-A ' in this argument -- it will be supplied by the function.

To insert a rule into that list, call insert_rule(). Arguments are:

$chainref: A reference to the chain table entry.
$ordinal: The position of the inserted rule in the list. A value of 1 inserts the rule at the head of the list, a value of 2 places the rule second in the list, and so on.
$rule: The rule to add. Do not include the leading '-I' in this argument -- it will be supplied by the function.

To create a manual chain, use the new_manual_chain() function. The function accepts a single argument which is the name of the chain. The function returns a reference to the resulting chain table entry.

A companion function, ensure_manual_chain(), can be called when a manual chain of the desired name may have already been created. If a manual chain table entry with the passed name already exists, a reference to the chain table entry is returned. Otherwise, the function calls new_manual_chain() and returns the result.

To create a logging rule, call log_rule_limit(). Arguments are:

$level: The log level. May be specified as a name or as a number.
$chainref: Chain table reference for the chain to which the rule is to be added.
$name: The chain name to be reported in the log message (see LOGFORMAT in shorewall.conf(5)).
$disposition: The disposition to be reported in the log message (see LOGFORMAT in shorewall.conf(5)).
$limit: Rate limiting match. If an empty string is passed, the LOGRATE/LOGBURST (shorewall.conf(5)) is used.
$tag: Log tag.
$command: If 'add', append the log rule to the chain. If 'insert', then insert the rule at the beginning of the chain.
$predicates: Any additional matches that are to be applied to the rule.

Shorewall::Config

use lib '/usr/share/shorewall-perl';
use Shorewall::Config;

warning message "This entry is bogus";
fatal_error "You have made an error";

progress_message  "This will only be seen if VERBOSITY >= 2";
progress_message2 "This will only be seen if VERBOSITY >= 1";
progress_message3 "This will be seen unless VERBOSITY < 0";

The shorewall() function may be optionally included:

use lib '/usr/share/shorewall-perl';
use Shorewall::Config qw/shorewall/;

shorewall $config_file_entry;

The Shorewall::Config module provides basic services to Shorewall-perl. By default, it exports the functions that produce progress messages and warning/error messages.

To issue a warning message, call warning_message(). The single argument describes the warning.

To raise a fatal error, call fatal_error(). Again, the single argument described the error.

In both cases, the function will augment the warning/error with the current configuration file and line number, if any. fatal_error() raised an exception via either confess() or die(), depending on whether the debugging stack trace is enabled or not..

The three 'progress message' functions conditionally produce output depending on the current verbosity setting.

The shorewall() function is used by embedded Perl scripts to generate entries to be included in the current configuration file.