mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-29 00:49:34 +01:00
Bring forward bug fixes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1371 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
5017345256
commit
1b59a9ed77
@ -777,7 +777,7 @@ validate_interfaces_file() {
|
|||||||
if [ -z "$found_obsolete_option" ]; then
|
if [ -z "$found_obsolete_option" ]; then
|
||||||
found_obsolete_option=yes
|
found_obsolete_option=yes
|
||||||
error_message \
|
error_message \
|
||||||
"Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
|
"WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
|
||||||
error_message \
|
error_message \
|
||||||
" PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
|
" PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
|
||||||
sleep 5
|
sleep 5
|
||||||
@ -2331,7 +2331,7 @@ check_config() {
|
|||||||
|
|
||||||
verify_os_version
|
verify_os_version
|
||||||
|
|
||||||
load_kernel_modules
|
load_kernel_modules check
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
@ -2899,7 +2899,7 @@ process_actions2() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
dropNonSyn)
|
dropNonSyn)
|
||||||
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
|
error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
|
||||||
[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
|
[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
|
||||||
@ -4623,32 +4623,34 @@ add_ip_aliases()
|
|||||||
#
|
#
|
||||||
# Load kernel modules required for Shorewall
|
# Load kernel modules required for Shorewall
|
||||||
#
|
#
|
||||||
load_kernel_modules() {
|
load_kernel_modules() #1 = command
|
||||||
|
{
|
||||||
|
|
||||||
[ -z "$MODULESDIR" ] && \
|
[ -z "$MODULESDIR" ] && \
|
||||||
MODULESDIR=/lib/modules/$osversion/kernel/net/ipv4/netfilter
|
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
||||||
|
|
||||||
modules=$(find_file modules)
|
modules=$(find_file modules)
|
||||||
|
|
||||||
if [ -f $modules -a -d $MODULESDIR ]; then
|
if [ -f $modules -a -d $MODULESDIR ]; then
|
||||||
echo "Loading Modules..."
|
[ "$1" = silent ] || echo "Loading Modules..."
|
||||||
. $modules
|
. $modules
|
||||||
|
|
||||||
if [ "$command" != check ]; then
|
case $1 in
|
||||||
|
start|restart)
|
||||||
|
save_progress_message "Loading kernel modules..."
|
||||||
|
save_command "reload_kernel_modules <<__EOF__"
|
||||||
|
|
||||||
save_progress_message "Loading kernel modules..."
|
while read command; do
|
||||||
save_command "reload_kernel_modules <<__EOF__"
|
case "$command" in
|
||||||
|
loadmodule*)
|
||||||
while read command; do
|
save_command $command
|
||||||
case "$command" in
|
;;
|
||||||
loadmodule*)
|
esac
|
||||||
save_command $command
|
done < $modules
|
||||||
;;
|
|
||||||
esac
|
save_command __EOF__
|
||||||
done < $modules
|
;;
|
||||||
|
esac
|
||||||
save_command __EOF__
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4801,10 +4803,13 @@ initialize_netfilter () {
|
|||||||
if [ -z "$NEWNOTSYN" ]; then
|
if [ -z "$NEWNOTSYN" ]; then
|
||||||
createchain newnotsyn no
|
createchain newnotsyn no
|
||||||
|
|
||||||
for interface in $(find_interfaces_by_option newnotsyn); do
|
for host in $(find_hosts_by_option newnotsyn); do
|
||||||
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j RETURN
|
interface=${host%%:*}
|
||||||
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j RETURN
|
network=${host#*:}
|
||||||
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j RETURN
|
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||||
|
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
|
||||||
|
run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
|
||||||
|
run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
|
||||||
done
|
done
|
||||||
|
|
||||||
run_user_exit newnotsyn
|
run_user_exit newnotsyn
|
||||||
@ -5514,7 +5519,7 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
save_command "MODULESDIR=\"$MODULESDIR\""
|
save_command "MODULESDIR=\"$MODULESDIR\""
|
||||||
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
|
save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
|
||||||
|
|
||||||
load_kernel_modules
|
load_kernel_modules $command
|
||||||
|
|
||||||
echo "Initializing..."; initialize_netfilter
|
echo "Initializing..."; initialize_netfilter
|
||||||
echo "Configuring Proxy ARP"; setup_proxy_arp
|
echo "Configuring Proxy ARP"; setup_proxy_arp
|
||||||
@ -6040,7 +6045,9 @@ do_initialize() {
|
|||||||
ensure_config_path
|
ensure_config_path
|
||||||
#
|
#
|
||||||
# Determine the capabilities of the installed iptables/netfilter
|
# Determine the capabilities of the installed iptables/netfilter
|
||||||
|
# We silently load the modules
|
||||||
#
|
#
|
||||||
|
qt load_kernel_modules silent
|
||||||
determine_capabilities
|
determine_capabilities
|
||||||
|
|
||||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||||
|
|||||||
@ -23,6 +23,11 @@ Problems Corrected since 2.0.2
|
|||||||
/etc/shorewall when the files were actually installed in
|
/etc/shorewall when the files were actually installed in
|
||||||
/usr/share/shorewall.
|
/usr/share/shorewall.
|
||||||
|
|
||||||
|
7) Shorewall checks netfilter capabilities before loading kernel
|
||||||
|
modules. Hence if kernel module autoloading isn't enabled, the
|
||||||
|
capabilities will be misdetected.
|
||||||
|
|
||||||
|
8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
||||||
|
|
||||||
@ -30,10 +35,6 @@ Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
|
|||||||
'dropNotSyn' standard builtin action. The old name can still be used
|
'dropNotSyn' standard builtin action. The old name can still be used
|
||||||
but will generate a warning.
|
but will generate a warning.
|
||||||
|
|
||||||
2) To lay the groundwork for eventual removal of NEWNOTSYN from
|
|
||||||
shorewall.conf and removal of the 'newnotsyn' interface option,
|
|
||||||
several new standard builtin actions have been defined. See New
|
|
||||||
Feature 3 below.
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
New Features:
|
New Features:
|
||||||
|
|
||||||
@ -81,4 +82,5 @@ New Features:
|
|||||||
|
|
||||||
a) Early in your rules file, place:
|
a) Early in your rules file, place:
|
||||||
|
|
||||||
dropNotSyn net all tcp
|
dropNotSyn net all tcp
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user