diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 784c7ae7b..ca1ebf4ee 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,44 @@ +Changes in Shorewall 4.2.5 + +1) Add 'fallback' providers option. + +2) Support for xtables-addons IPP2P. + +3) Slow down startup some more by adding more modules and modules + search directories. + +4) Fix 'shorewall6 debug start' + +5) Added macro.Git. + +Changes in Shorewall 4.2.4.6 + +1) Fix hosts exclusion in DNAT/REDIRECT. + +2) Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851 + +Changes in Shorewall 4.2.4.5 + +1) Fix critical hosts handling in Shorewall6. + +Changes in Shorewall 4.2.4.4 + +1) Fix exclusion yet another time. + +Changes in Shorewall 4.2.4.3 + +1) Fix exclusion again + +Changes in Shorewall 4.2.4.2 + +1) Fix 'refresh' + +Changes in Shorewall 4.2.4.1 + +1) Fix 'shorewall6 restore' etc. + +2) Fix init scripts. + Changes in Shorewall 4.2.4-RC3 1) Fix exclusion handling with certain hosts options. diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index b8ee30af8..a30bf6411 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 9441af7b5..b0226fa36 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index 97f06ece6..227390b43 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -256,6 +256,7 @@ reload_kernel_modules() { moduledirectories= local moduleloader moduleloader=modprobe + local uname if ! qt mywhich modprobe; then moduleloader=insmod @@ -263,7 +264,11 @@ reload_kernel_modules() { [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + + [ -z "$MODULESDIR" ] && \ + uname=$(uname -r) && \ + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do @@ -291,6 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR moduleloader=modprobe local savemoduleinfo savemoduleinfo=${1:-Yes} # So old compiled scripts still work + local uname if ! qt mywhich modprobe; then moduleloader=insmod @@ -299,7 +305,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + uname=$(uname -r) && \ + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" @@ -1151,9 +1158,9 @@ determine_capabilities() { qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes fi - qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes + qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes if [ -n "$IPP2P_MATCH" ]; then - qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes + qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes fi qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes @@ -1250,7 +1257,7 @@ report_capabilities() { [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH report_capability "Raw Table" $RAW_TABLE report_capability "IPP2P Match" $IPP2P_MATCH - [ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match" $OLD_IPP2P_MATCH + [ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH report_capability "CLASSIFY Target" $CLASSIFY_TARGET report_capability "Extended REJECT" $ENHANCED_REJECT report_capability "Repeat match" $KLUDGEFREE diff --git a/Shorewall-common/modules b/Shorewall-common/modules index 5532a96af..b9c1da719 100644 --- a/Shorewall-common/modules +++ b/Shorewall-common/modules @@ -39,6 +39,7 @@ loadmodule xt_dscp loadmodule xt_DSCP loadmodule xt_hashlimit loadmodule xt_helper +loadmodule xt_ipp2p loadmodule xt_iprange loadmodule xt_length loadmodule xt_limit @@ -77,6 +78,20 @@ loadmodule ip_set_ipmap loadmodule ip_set_macipmap loadmodule ip_set_portmap # +# Ipset +# +loadmodule ip_set +loadmodule ip_set_iphash +loadmodule ip_set_ipmap +loadmodule ip_set_ipporthash +loadmodule ip_set_iptree +loadmodule ip_set_iptreemap +loadmodule ip_set_macipmap +loadmodule ip_set_nethash +loadmodule ip_set_portmap +loadmodule ipt_SET +loadmodule ipt_set +# # 2.6.20+ helpers # loadmodule nf_conntrack_ftp diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index a16bc1a8c..f2f1febeb 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.2.4 RC3 +Shorewall 4.2.5 ---------------------------------------------------------------------------- R E L E A S E 4 . 2 H I G H L I G H T S @@ -27,32 +27,51 @@ Shorewall 4.2.4 RC3 - Perl 5.10 if you wish to use DNS names in your IPv6 config files. In that case you will also have to install Perl Socket6 support. -Problems Corrected in 4.2.4 RC3 +Problems corrected in 4.2.5 -1) Previously, when exclusion was used in an entry in - /etc/shorewall/hosts, Shorewall-perl ignored the exclusion when - generating rules for the following OPTIONS in that entry: - - blacklist - maclist - norfc1918 - tcpflags +1) If exclusion is used to define a zone in /etc/shorewall/hosts and + that zone is used as the SOURCE zone in a DNAT or REDIRECT rule, + then Shorewall-perl can generated invalid iptables-restore input. -2) Shorewall-perl previously promoted all exclusion in the - /etc/shorewall/hosts file to the zone level. That meant that - all traffic to/from the zone passed through exclusion rules - rather than only the traffic matching a hosts records that - specified exclusion. +2) A bug in the Perl Cwd module (see + http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the + Shorewall-perl compiler to fail if it doesn't have at least read + access to its current working directory. 4.2.5 contains a + workaround. - Example /etc/shorewall/hosts: +3) If 'critical' was specified on an entry in + /etc/shorewall/routestopped, Shorewall6 (Shorewall-perl) would + generate an error. - z eth0:192.168.4.0/24 - z eth1:10.0.0.0/24!10.0.0.99 +4) In certain cases where exclusion occurred in /etc/shorewall/hosts, + Shorewall-perl would generate incorrect iptables-restore input. - Traffic entering eth0 from network 192.168.4.0/24 would still - be checked for '!10.0.0.99'. +5) In certain cases where exclusion occurred in /etc/shorewall/hosts, + Shorewall-perl would generate invalid iptables-restore input. - This has been corrected. +6) The 'shorewall6 refresh' command runs iptables_restore rather than + ip6tables_restore. + +7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and + 'shorewall6 restore' were previously broken. + +8) The Debian init script was checking $startup in + /etc/default/shorewall rather than in /etc/default/shorweall6 + +9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were + unconverted Shorewall scripts. + +10) When 'detect' is used in the GATEWAY column of + /etc/shorewall/providers, Shorewall-perl now ensures that the + gateway was successfully detected. If the gateway cannot be + detected, action is taken depending on whether the provider is + 'optional' or not. If the provider is optional, it's configuration + is skipped; if the provider is not optional, the current operation + is aborted. + +11) The command 'shorewall6 debug start' would previously fail with + + ERROR: Command "/sbin/ip6tables -t nat -F" Failed Known Problems Remaiining: @@ -65,100 +84,74 @@ Known Problems Remaiining: norfc1918 tcpflags -New Features in Shorewall 4.2.4. +New Feature in Shorewall 4.2.5 -1) Two new packages are included: +1) A new 'fallback' option is added in + /etc/shorewall/providers. The option works similar to 'balance' + except that the default route is added in the default routing table + (253) rather than in the main table (254). - a) Shorewall6 - analagous to Shorewall-common but handles IPv6 - rather than IPv4. + The option can be used by itself or followed by = (e.g, + fallback=2). - b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6 - rather than IPv4. + When the option is used by itself, a separate (not balanced) + default route is added with a metric equal to the provider's NUMBER. - The packages store their configurations in /etc/shorewall6/ and - /etc/shorewall6-lite/ respectively. + When the option is used with a number, a balanced route is added + with the weight set to the specified number. - The fact that the packages are separate from their IPv4 counterparts - means that you control IPv4 and IPv6 traffic separately (the same - way that Netfilter does). Starting/Stopping the firewall for one - address family has no effect on the other address family. + 'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and + is only available with Shorewall-perl. - For additional information, see - http://www.shorewall.net/IPV6Support.html. + 'fallback' is useful in situations where: - Other features of Shorewall6 are: + - You want all traffic to be sent via one primary provider unless + there is a compelling reason to use a different provider - a) There is no NAT of any kind (most people see this as a giant step - forward). When an ISP assigns you a public IPv6 address, you are - actually assigned an IPv6 'prefix' which is like an IPv4 - subnet. A 64-bit prefix allows 4 billion squared individual hosts - (the size of the current IPv4 address space squared). + - If the primary provider is down, then you want to balance the + outgoing traffic among a set of other providers or to a + ordered list of providers. - b) The default zone type is ipv6. + In this case: - c) The currently-supported interface options in Shorewall6 are: + - Do not specify 'balance' on any of the providers. + - Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf). + - Specify 'fallback' on those providers that you want to use if + the primary is down. + - Only the primary provider should have a default route in the main + routing table. - blacklist - bridge - dhcp - nosmurfs (traps multicast and Subnet-router anycast addresses - used as the packet source address). - optional - routeback - sourceroute - tcpflags - mss - forward (setting it to 0 makes the router behave like a host - on that interface rather than like a router). + See http://www.shorewall.net/MultiISP.html#Complete for an example + of this option's use. - d) The currently-supported host options in Shorewall6 are: +2) Shorewall-perl now transparently handles the xtables-addon version + of ipp2p. Shorewall detects whether the installed ipp2p is from + patch-o-matic-ng or from xtables-addon and proceeds accordingly. - blacklist - routeback - tcpflags + If the patch-o-matic-ng version is installed: - e) Traffic Shaping is disabled by default. The tcdevices and - tcclasses files are address-family independent so - to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal - should be specified in Shorewall or in Shorewall6 but not in - both. In the configuration where the internal traffic shaper is - not enabled, CLEAR_TC=No should be specified. + a) If no DEST PORT is supplied, the default is "--ipp2p". + b) If "ipp2p" is supplied as the DEST PORT, it will be passed to + iptables-restore as "--ipp2p". - tcfilters are not available in Shorewall6. + If the xtables-addons version is installed: - f) When both an interface and an address or address list need to - be specified in a rule, the address or list must be enclosed in - angle brackets. Example: + a) If no DEST PORT is supplied, the default is "--edk --gnu --dc + --kazaa". + b) If "ipp2p" is supplied as the DEST PORT, it will be passed to + iptables-restore as "--edk --gnu --dc --kazaa". - #ACTION SOURCE DEST - ACCEPT net:eth0:<2001:19f0:feee::dead:beef:cafe> dmz + Shorewall-perl now also accepts a comma-separated list of options + (e.g., "edk,gnu,dc,kazaa). - Note that this includes MAC addresses as well as IPv6 addresses. + Additionally, Shorewall now looks for modules in /lib/modules/$(uname + -r)/extra and in /lib/modules/$(uname -r)/extra/ipset - The HOSTS column in /etc/shorewall6/hosts also uses this - convention: + This change introduced a new capability ("Old IPP2P Match Syntax") + so if you use a capabilities file, be sure to re-generate the + file(s) after you have installed 4.2.5. - #ZONE HOSTS OPTIONS - chat6 eth0:<2001:19f0:feee::dead:beef:cafe> - - Even when an interface is not specified, it is permitted to - enclose addresses in <> to improve readability. Example: - - #ACTION SOURCE DEST - ACCEPT net:<2001:1::1> $FW - - g) The options available in shorewall6.conf are a subset of those - available in shorewall.conf. - - h) The Socket6.pm Perl module is required if you include DNS names - in your Shorewall6 configuration. Note that it is loaded the - first time that a DNS name is encountered so if it is missing, - you get a message similar to this one: - - ... - Checking /etc/shorewall6/rules... - Can't locate Socket6.pm in @INC (@INC contains: /root ... - teastep@ursa:~/Configs/standalone6$ +3) There is now a macro.Git, which opens git-daemon's port (9418/tcp). Migration Issues. @@ -1307,3 +1300,34 @@ Other changes in Shorewall 4.2.3 shorewall reset chain1 chain2 ... shorewall-lite reset chain1 chain2 ... + +Problems Corrected in 4.2.4 + +1) Previously, when exclusion was used in an entry in + /etc/shorewall/hosts, Shorewall-perl ignored the exclusion when + generating rules for the following OPTIONS in that entry: + + blacklist + maclist + norfc1918 + tcpflags + +2) Shorewall-perl previously promoted all exclusion in the + /etc/shorewall/hosts file to the zone level. That meant that + all traffic to/from the zone passed through exclusion rules + rather than only the traffic matching a hosts records that + specified exclusion. + + Example /etc/shorewall/hosts: + + z eth0:192.168.4.0/24 + z eth1:10.0.0.0/24!10.0.0.99 + + Traffic entering eth0 from network 192.168.4.0/24 would still + be checked for '!10.0.0.99'. + + This has been corrected. + +Other changes in 4.2.4 + +1) Support for IPv6 was added -- see above. diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index 63874a2af..91559d323 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,6 +1,6 @@ %define name shorewall-common -%define version 4.2.4 -%define release 0RC3 +%define version 4.2.5 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -175,8 +175,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog -* Sun Dec 28 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC3 +* Tue Jan 06 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.5-0base +* Thu Dec 25 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.4-0base * Sun Dec 21 2008 Tom Eastep tom@shorewall.net - Updated to 4.2.4-0RC2 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index a83a78290..7e920ddee 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 09004007b..5b9c16407 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index c9ed6c1f0..b4dd7d4ba 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 8051a7bbd..3c8b91c74 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite -%define version 4.2.4 -%define release 0RC3 +%define version 4.2.5 +%define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -98,26 +98,14 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Dec 28 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC3 -* Sun Dec 21 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC2 -* Wed Dec 17 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC1 -* Tue Dec 16 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.4-0base -* Sat Dec 13 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.3-0base -* Fri Dec 12 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.2-0base -* Thu Dec 11 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.1-0base -* Thu Dec 11 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.1-0base -* Wed Dec 10 2008 Tom Eastep tom@shorewall.net -- Updated to 4.3.0-0base -* Wed Dec 10 2008 Tom Eastep tom@shorewall.net -- Updated to 2.3.0-0base +* Tue Jan 06 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.5-0base +* Thu Dec 25 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.4-0base +* Fri Dec 05 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.3-0base +* Wed Nov 05 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.2-0base * Wed Oct 08 2008 Tom Eastep tom@shorewall.net - Updated to 4.2.1-0base * Fri Oct 03 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 58a0417a7..24aa97d10 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 2d7dfb6f5..f9b2aa1c6 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -240,6 +240,9 @@ our %interfacebcasts; our %interfaceacasts; our %interfacegateways; +# +# Built-in Chains +# our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING); # @@ -278,6 +281,8 @@ our %builtin_target = ( ACCEPT => 1, # sub initialize( $ ) { + $family = shift; + %chain_table = ( raw => {} , mangle => {}, nat => {}, @@ -325,7 +330,6 @@ sub initialize( $ ) { %interfaceacasts = (); %interfacegateways = (); - $family = shift; } INIT { @@ -1039,17 +1043,17 @@ sub finish_chain_section ($$) { my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref; if ( $section eq 'DONE' ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; + add_jump $chainref, $synchainref, 0, "-p tcp --syn "; } } else { - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; + add_jump $chainref, $synchainref, 0, "-p tcp --syn "; } } } else { my $policychainref = $filter_table->{$chainref->{policychain}}; if ( $policychainref->{synparams} ) { my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; - add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; + add_jump $chainref, $synchainref, 0, "-p tcp --syn "; } } } @@ -1063,9 +1067,7 @@ sub finish_chain_section ($$) { sub finish_section ( $ ) { my $sections = $_[0]; - for my $section ( split /,/, $sections ) { - $sections{$section} = 1; - } + $sections{$_} = 1 for split /,/, $sections; for my $zone ( all_zones ) { for my $zone1 ( all_zones ) { @@ -1292,11 +1294,11 @@ sub do_proto( $$$ ) my $options = ''; - if ( $ports ) { - $options .= " --$_" for split /,/, $ports; - } else { - $options = $capabilities{OLD_IPP2P_MATCH} ? '--ipp2p' : '--edk --kazza --gnu --dc'; + if ( $ports ne 'ipp2p' ) { + $options .= " --$_" for split /,/, $ports; } + + $options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options; $output .= "${proto}-m ipp2p${options} "; } else { diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 5df5a17d0..cfc59e867 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -940,7 +940,7 @@ sub compiler { initialize_chain_table; unless ( $command eq 'check' ) { - create_temp_object( $objectfile ); + create_temp_object( $objectfile , $export ); generate_script_1; } diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 735c65787..6a09d4005 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -202,6 +202,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', XCONNMARK_MATCH => 'Extended Connmark Match', RAW_TABLE => 'Raw Table', IPP2P_MATCH => 'IPP2P Match', + OLD_IPP2P_MATCH => 'Old IPP2P Match Syntax', CLASSIFY_TARGET => 'CLASSIFY Target', ENHANCED_REJECT => 'Extended Reject', KLUDGEFREE => 'Repeat match', @@ -299,13 +300,16 @@ sub initialize( $ ) { LOGPARMS => '', TC_SCRIPT => '', EXPORT => 0, - VERSION => "4.2.4", + VERSION => "4.2.5", CAPVERSION => 40205 , ); + # # From shorewall.conf file # if ( $family == F_IPV4 ) { + $globals{PRODUCT} = 'shorewall'; + %config = ( STARTUP_ENABLED => undef, VERBOSITY => undef, @@ -425,8 +429,9 @@ sub initialize( $ ) { NFLOG => 'NFLOG'); } else { $globals{SHAREDIR} = '/usr/share/shorewall6'; - $globals{CONFDIR} = '/etc/shorewall6'; - + $globals{CONFDIR} = '/etc/shorewall6'; + $globals{PRODUCT} = 'shorewall6'; + %config = ( STARTUP_ENABLED => undef, VERBOSITY => undef, @@ -977,8 +982,8 @@ sub copy1( $ ) { # Create the temporary object file -- the passed file name is the name of the final file. # We create a temporary file in the same directory so that we can use rename to finalize it. # -sub create_temp_object( $ ) { - my $objectfile = $_[0]; +sub create_temp_object( $$ ) { + my ( $objectfile, $export ) = @_; my $suffix; eval { @@ -993,10 +998,10 @@ sub create_temp_object( $ ) { fatal_error "$objectfile is a Symbolic Link" if -l $objectfile; fatal_error "$objectfile is a Directory" if -d _; fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _; - fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq ''; + fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq ''; eval { - $dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385 + $dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851 ( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir ); }; @@ -1029,7 +1034,6 @@ sub create_temp_aux_config() { }; die if $@; - } # @@ -1641,7 +1645,7 @@ sub load_kernel_modules( ) { my $uname = `uname -r`; fatal_error "The command 'uname -r' failed" unless $? == 0; chomp $uname; - $modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter"; + $modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"; } my @moduledirectories = split /:/, $modulesdir; diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index f980e5fd3..1cf17eaea 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -219,8 +219,11 @@ sub balance_fallback_route( $$$$ ) { } } -sub start_provider( $$ ) { - my ($table, $number ) = @_; +sub start_provider( $$$ ) { + my ($table, $number, $test ) = @_; + + emit $test; + push_indent; emit "#\n# Add Provider $table ($number)\n#"; @@ -263,13 +266,9 @@ sub add_a_provider( $$$$$$$$ ) { fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; $gateway = get_interface_gateway $interface; - emit qq(if interface_is_usable $interface && [ -n "$gateway" ]; then); - push_indent; - start_provider( $table, $number ); + start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ); } else { - emit "if interface_is_usable $interface; then"; - push_indent; - start_provider( $table, $number ); + start_provider( $table, $number, "if interface_is_usable $interface; then" ); if ( $gateway && $gateway ne '-' ) { validate_address $gateway, 0; @@ -279,6 +278,7 @@ sub add_a_provider( $$$$$$$$ ) { emit "run_ip route add default dev $interface table $number"; } } + my $val = 0; if ( $mark ne '-' ) { @@ -337,13 +337,14 @@ sub add_a_provider( $$$$$$$$ ) { warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes"; } else { $default = $1; + fatal_error 'fallback must be non-zero' unless $default; } } elsif ( $option eq 'fallback' ) { fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6; if ( $config{USE_DEFAULT_RT} ) { warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes"; } else { - $default = 1; + $default = -1; } } else { fatal_error "Invalid option ($option)"; @@ -409,7 +410,19 @@ sub add_a_provider( $$$$$$$$ ) { } balance_default_route $balance , $gateway, $interface, $realm if $balance; - balance_fallback_route $default , $gateway, $interface, $realm if $default; + + if ( $default > 0 ) { + balance_fallback_route $default , $gateway, $interface, $realm; + } elsif ( $default ) { + emit ''; + if ( $gateway ) { + emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number); + emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + } else { + emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number); + emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); + } + } if ( $loose ) { if ( $config{DELETE_THEN_ADD} ) { diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 984b4afd2..345c40486 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -71,10 +71,9 @@ sub setup_tunnels() { add_rule $outchainref, "-p 51 $dest -j ACCEPT"; } - add_rule $outchainref, "-p udp $dest --dport 500 $options"; - if ( $kind eq 'ipsec' ) { - add_rule $inchainref, "-p udp $source --dport 500 $options"; + add_rule $inchainref, "-p udp $source --dport 500 $options"; + add_rule $outchainref, "-p udp $dest --dport 500 $options"; } else { add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options"; add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options"; diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 617cea445..c4502e0ac 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -93,7 +93,7 @@ use constant { NOTHING => 'NOTHING', # } # parents => [ ] Parents, Children and interfaces are listed by name # children => [ ] -# interfaces => [ ] +# interfaces => { => 1, ... } # bridge => # hosts { } => [ { => { ipsec => 'ipsec'|'none' # options => { => diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index 5b1e7564e..50273175d 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-perl/prog.functions6 b/Shorewall-perl/prog.functions6 index c5ecbbc94..0625701bb 100644 --- a/Shorewall-perl/prog.functions6 +++ b/Shorewall-perl/prog.functions6 @@ -178,13 +178,6 @@ debug_restore_input() { qt1 $IP6TABLES -t raw -P $chain ACCEPT done - run_iptables -t nat -F - run_iptables -t nat -X - - for chain in PREROUTING POSTROUTING OUTPUT; do - qt1 $IP6TABLES -t nat -P $chain ACCEPT - done - qt1 $IP6TABLES -t filter -F qt1 $IP6TABLES -t filter -X diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header index a029ab677..dc63e9ba3 100644 --- a/Shorewall-perl/prog.header +++ b/Shorewall-perl/prog.header @@ -1,6 +1,6 @@ # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 1999-2008 - Tom Eastep (teastep@shorewall.net) +# (c) 1999-2009 - Tom Eastep (teastep@shorewall.net) # # Options are: # @@ -245,6 +245,7 @@ reload_kernel_modules() { moduledirectories= local moduleloader moduleloader=modprobe + local uname if ! qt mywhich modprobe; then moduleloader=insmod @@ -252,7 +253,10 @@ reload_kernel_modules() { [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] - [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + [ -z "$MODULESDIR" ] && \ + uname=$(uname -r) && \ + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset + MODULES=$(lsmod | cut -d ' ' -f1) for directory in $(split $MODULESDIR); do @@ -280,6 +284,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR moduleloader=modprobe local savemoduleinfo savemoduleinfo=${1:-Yes} # So old compiled scripts still work + local uname if ! qt mywhich modprobe; then moduleloader=insmod @@ -288,7 +293,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ] [ -z "$MODULESDIR" ] && \ - MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter + uname=$(uname -r) && \ + MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset for directory in $(split $MODULESDIR); do [ -d $directory ] && moduledirectories="$moduledirectories $directory" diff --git a/Shorewall-perl/prog.header6 b/Shorewall-perl/prog.header6 index ac65002cf..239035cbc 100644 --- a/Shorewall-perl/prog.header6 +++ b/Shorewall-perl/prog.header6 @@ -1,6 +1,6 @@ # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 1999-2008 - Tom Eastep (teastep@shorewall.net) +# (c) 1999-2009 - Tom Eastep (teastep@shorewall.net) # # Options are: # diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index 7cee2c0a7..ad4f1eb61 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,6 +1,6 @@ %define name shorewall-perl -%define version 4.2.4 -%define release 0RC3 +%define version 4.2.5 +%define release 0base Summary: Shoreline Firewall Perl-based compiler. Name: %{name} @@ -62,8 +62,10 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING releasenotes.txt %changelog -* Sun Dec 28 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC3 +* Tue Jan 06 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.5-0base +* Thu Dec 25 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.4-0base * Sun Dec 21 2008 Tom Eastep tom@shorewall.net - Updated to 4.2.4-0RC2 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index 8b0fb7d35..6569d71b8 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall-shell/prog.header b/Shorewall-shell/prog.header index fb448c8aa..70f51d78d 100644 --- a/Shorewall-shell/prog.header +++ b/Shorewall-shell/prog.header @@ -4,7 +4,7 @@ # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # -# (c) 2006 - Tom Eastep (teastep@shorewall.net) +# (c) 2006 - 2009 - Tom Eastep (teastep@shorewall.net) # # # Options are: diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index 45ba7602d..8b9f3db50 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,6 +1,6 @@ %define name shorewall-shell -%define version 4.2.4 -%define release 0RC3 +%define version 4.2.5 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -81,8 +81,10 @@ fi %doc COPYING INSTALL %changelog -* Sun Dec 28 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC3 +* Tue Jan 06 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.5-0base +* Thu Dec 25 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.4-0base * Sun Dec 21 2008 Tom Eastep tom@shorewall.net - Updated to 4.2.4-0RC2 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/fallback.sh b/Shorewall6-lite/fallback.sh index 09004007b..5b9c16407 100755 --- a/Shorewall6-lite/fallback.sh +++ b/Shorewall6-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall6-lite/init.sh b/Shorewall6-lite/init.sh index 17a01bb2e..1938a3cbb 100755 --- a/Shorewall6-lite/init.sh +++ b/Shorewall6-lite/init.sh @@ -41,7 +41,7 @@ RCDLINKS="2,S41 3,S41 6,K41" # description: Packet filtering firewall ### BEGIN INIT INFO -# Provides: shorewall6-lite +# Provides: shorewall6 # Required-Start: $network # Required-Stop: # Default-Start: 2 3 5 diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 8e2603b44..b01a81efd 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 42c80e12e..1a7c62b0d 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite -%define version 4.2.4 -%define release 0RC3 +%define version 4.2.5 +%define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -89,8 +89,10 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog -* Sun Dec 28 2008 Tom Eastep tom@shorewall.net -- Updated to 4.2.4-0RC3 +* Tue Jan 06 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.5-0base +* Thu Dec 25 2008 Tom Eastep tom@shorewall.net +- Updated to 4.2.4-0base * Sun Dec 21 2008 Tom Eastep tom@shorewall.net - Updated to 4.2.4-0RC2 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 28190ec5a..dd10dc01a 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall6/fallback.sh b/Shorewall6/fallback.sh index 9867dadcf..795a5ab0b 100755 --- a/Shorewall6/fallback.sh +++ b/Shorewall6/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index aa0e357b7..445cd4241 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status { diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index 3a6331508..9c3579e85 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40300 -SHOREWALL_CAPVERSION=40203 +SHOREWALL_CAPVERSION=40205 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] @@ -716,6 +716,7 @@ determine_capabilities() { XCONNMARK_MATCH= RAW_TABLE= IPP2P_MATCH= + OLD_IPP2P_MATCH= LENGTH_MATCH= CLASSIFY_TARGET= ENHANCED_REJECT= @@ -803,8 +804,12 @@ determine_capabilities() { qt $IP6TABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes fi - qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes - qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes + qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes + if [ -n "$IPP2P_MATCH" ]; then + qt $IP6TABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes + fi + + qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes qt $IP6TABLES -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes qt $IP6TABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes @@ -897,6 +902,7 @@ report_capabilities() { [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH report_capability "Raw Table" $RAW_TABLE report_capability "IPP2P Match" $IPP2P_MATCH + [ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH report_capability "CLASSIFY Target" $CLASSIFY_TARGET report_capability "Extended REJECT" $ENHANCED_REJECT report_capability "Repeat match" $KLUDGEFREE @@ -949,6 +955,7 @@ report_capabilities1() { report_capability1 XCONNMARK_MATCH report_capability1 RAW_TABLE report_capability1 IPP2P_MATCH + report_capability1 OLD_IPP2P_MATCH report_capability1 CLASSIFY_TARGET report_capability1 ENHANCED_REJECT report_capability1 KLUDGEFREE diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index d97a91077..cb20cc0be 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.2.4 +%define version 4.2.5 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -140,6 +140,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Tue Jan 06 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.5-0base * Thu Dec 25 2008 Tom Eastep tom@shorewall.net - Updated to 4.2.4-0base * Sun Dec 21 2008 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index ef7265c21..e6dd3423d 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.2.4-RC3 +VERSION=4.2.5 usage() # $1 = exit status {