From 050375b21165181afcc07de0ca27a3a2594093f2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 29 Jun 2009 18:33:13 -0700 Subject: [PATCH] Delete DISABLE_IPV6 option --- Samples/one-interface/shorewall.conf | 2 - Samples/three-interfaces/shorewall.conf | 2 - Samples/two-interfaces/shorewall.conf | 2 - Shorewall/Perl/Shorewall/Compiler.pm | 3 -- Shorewall/Perl/Shorewall/Config.pm | 5 ++- Shorewall/Perl/prog.functions | 8 ---- Shorewall/Perl/prog.header | 22 ----------- Shorewall/changelog.txt | 6 ++- Shorewall/configfiles/shorewall.conf | 2 - Shorewall/releasenotes.txt | 52 +++++++++---------------- 10 files changed, 27 insertions(+), 77 deletions(-) diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 5b65e850c..41340daaa 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -139,8 +139,6 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= -DISABLE_IPV6=Yes - BRIDGING=No DYNAMIC_ZONES=No diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index bc04c03ea..ed0fc6aaa 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -139,8 +139,6 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= -DISABLE_IPV6=Yes - BRIDGING=No DYNAMIC_ZONES=No diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 0f13434e3..e73bc7163 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -146,8 +146,6 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= -DISABLE_IPV6=Yes - BRIDGING=No DYNAMIC_ZONES=No diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 878984218..9da865b28 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -407,9 +407,6 @@ sub generate_script_3($) { ' rm -f ${VARDIR}/nat', "fi\n" ); } - - emit "disable_ipv6\n" if $config{DISABLE_IPV6}; - } else { emit ( '#', '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index a44116d41..cf47c41c3 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -188,7 +188,7 @@ our %config; # # Config options and global settings that are to be copied to object script # -our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; +our @propagateconfig = qw/ MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; # # From parsing the capabilities file or detecting capabilities @@ -2306,7 +2306,8 @@ sub get_configuration( $ ) { default_yes_no 'ADMINISABSENTMINDED' , ''; default_yes_no 'BLACKLISTNEWONLY' , ''; - default_yes_no 'DISABLE_IPV6' , ''; + + warning_message 'DISABLE_IPV6=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DISABLE_IPV6}; unsupported_yes_no 'DYNAMIC_ZONES'; unsupported_yes_no 'BRIDGING'; diff --git a/Shorewall/Perl/prog.functions b/Shorewall/Perl/prog.functions index bfa3a536c..c6e5b0240 100644 --- a/Shorewall/Perl/prog.functions +++ b/Shorewall/Perl/prog.functions @@ -31,14 +31,6 @@ clear_firewall() { echo 1 > /proc/sys/net/ipv4/ip_forward - if [ -n "$DISABLE_IPV6" ]; then - if qt mywhich ip6tables; then - ip6tables -P INPUT ACCEPT 2> /dev/null - ip6tables -P OUTPUT ACCEPT 2> /dev/null - ip6tables -P FORWARD ACCEPT 2> /dev/null - fi - fi - run_clear_exit set_state "Cleared" diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 615cea2b4..3f1981382 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -853,28 +853,6 @@ detect_gateway() # $1 = interface [ -n "$gateway" ] && echo $gateway } -# -# Disable IPV6 -# -disable_ipv6() { - local foo - foo="$($IP -f inet6 addr list 2> /dev/null)" - - if [ -n "$foo" ]; then - if qt mywhich ip6tables; then - ip6tables -P FORWARD DROP - ip6tables -P INPUT DROP - ip6tables -P OUTPUT DROP - ip6tables -F - ip6tables -X - ip6tables -A OUTPUT -o lo -j ACCEPT - ip6tables -A INPUT -i lo -j ACCEPT - else - error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" - fi - fi -} - # Function to truncate a string -- It uses 'cut -b -' # rather than ${v:first:last} because light-weight shells like ash and # dash do not support that form of expansion. diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 9249f990d..a9d683345 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,4 +1,8 @@ -qChanges in Shorewall 4.4.0-Beta3 +Changes in Shorewall 4.4.0-Beta4 + +1) Delete DISABLE_IPV6. + +Changes in Shorewall 4.4.0-Beta3 1) Add new macros. diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index fad9bef1e..04451554d 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -137,8 +137,6 @@ DELAYBLACKLISTLOAD=No MODULE_SUFFIX= -DISABLE_IPV6=Yes - BRIDGING=No DYNAMIC_ZONES=No diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index cd09195ec..c8fb6381f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -109,28 +109,14 @@ Shorewall 4.4.0 Beta 3 As part of this change, the fallback.sh scripts are no longer released. +9) The DISABLE_IPV6 option has been removed from Shorewall.conf. If + you need to control IPV6 traffic, install Shorewall6. + ---------------------------------------------------------------------------- - P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 3 + P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 4 ---------------------------------------------------------------------------- -1) Previously, if Address Type Match was not available and an - interface on the firewall was (mis-)configured as shown below, then - REJECT policies in Shorewall-perl would drop packets addressed to - the interface rather than reject them. - - 3: venet0: mtu 1500 ... - inet 127.0.0.1/32 scope host venet0 - inet 206.124.146.176/32 brd 206.124.146.176 ... - - Note that a /32 should never be configured with a broadcast - address. - -2) Due to a syntax ambiguity arising from the new dynamic zone - implementation, 'shorewall show dynamic' produced no output. It now - shows the contents of the dynamic blacklist as in earlier - Shorewall releases. - -3) The 'findgw' script produced an error if VERBOSITY > 0. +1) None. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G @@ -142,20 +128,7 @@ None. N E W F E A T U R E S I N 4 . 4 . 0 Beta 3 ---------------------------------------------------------------------------- -1) Three new macros have been contributed by Alex Wilms. - - macro.BGP - macro.Citrix - macro.OSPF - macro.Razor - -2) The Shorewall compiler now checks for availability of the LOG - target if the configuration does any logging. This change involves - a new version of the capabilities file so users employing a - capabilties file should re-generate that file before trying to - start/restart Shorewall. - ----------------------------------------------------------------------------- +--------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 ---------------------------------------------------------------------------- @@ -784,3 +757,16 @@ None. 26) A new extension script, 'lib.private' has been added. This file is intended to include declarations of shell functions that will be called by the other run-time extension scripts. + +27) Three new macros have been contributed by Alex Wilms. + + macro.BGP + macro.Citrix + macro.OSPF + macro.Razor + +28) The Shorewall compiler now checks for availability of the LOG + target if the configuration does any logging. This change involves + a new version of the capabilities file so users employing a + capabilties file should re-generate that file before trying to + start/restart Shorewall.