extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update trunk with branch/4.2 changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9279 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-14 01:18:11 +00:00
parent 48b85c5353
commit 22ebcd8b6a
36 changed files with 313 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Shorewall-common/changelog.txt
View File

@ -1,3 +1,44 @@
Changes in Shorewall 4.2.5
1) Add 'fallback' providers option.
2) Support for xtables-addons IPP2P.
3) Slow down startup some more by adding more modules and modules
search directories.
4) Fix 'shorewall6 debug start'
5) Added macro.Git.
Changes in Shorewall 4.2.4.6
1) Fix hosts exclusion in DNAT/REDIRECT.
2) Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
Changes in Shorewall 4.2.4.5
1) Fix critical hosts handling in Shorewall6.
Changes in Shorewall 4.2.4.4
1) Fix exclusion yet another time.
Changes in Shorewall 4.2.4.3
1) Fix exclusion again
Changes in Shorewall 4.2.4.2
1) Fix 'refresh'
Changes in Shorewall 4.2.4.1
1) Fix 'shorewall6 restore' etc.
2) Fix init scripts.
Changes in Shorewall 4.2.4-RC3
1) Fix exclusion handling with certain hosts options.

2
Shorewall-common/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

2
Shorewall-common/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

13
Shorewall-common/lib.base
View File

@ -256,6 +256,7 @@ reload_kernel_modules() {
moduledirectories=
local moduleloader
moduleloader=modprobe
local uname
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -263,7 +264,11 @@ reload_kernel_modules() {
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
[ -z "$MODULESDIR" ] && \
uname=$(uname -r) && \
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
MODULES=$(lsmod | cut -d ' ' -f1)
for directory in $(split $MODULESDIR); do
@ -291,6 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
moduleloader=modprobe
local savemoduleinfo
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
local uname
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -299,7 +305,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
uname=$(uname -r) && \
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
for directory in $(split $MODULESDIR); do
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@ -1250,7 +1257,7 @@ report_capabilities() {
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
report_capability "IPP2P Match" $IPP2P_MATCH
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match" $OLD_IPP2P_MATCH
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT" $ENHANCED_REJECT
report_capability "Repeat match" $KLUDGEFREE

15
Shorewall-common/modules
View File

@ -39,6 +39,7 @@ loadmodule xt_dscp
loadmodule xt_DSCP
loadmodule xt_hashlimit
loadmodule xt_helper
loadmodule xt_ipp2p
loadmodule xt_iprange
loadmodule xt_length
loadmodule xt_limit
@ -77,6 +78,20 @@ loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
#
# Ipset
#
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_ipporthash
loadmodule ip_set_iptree
loadmodule ip_set_iptreemap
loadmodule ip_set_macipmap
loadmodule ip_set_nethash
loadmodule ip_set_portmap
loadmodule ipt_SET
loadmodule ipt_set
#
# 2.6.20+ helpers
#
loadmodule nf_conntrack_ftp

212
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.2.4 RC3
Shorewall 4.2.5
----------------------------------------------------------------------------
R E L E A S E 4 . 2 H I G H L I G H T S
@ -27,32 +27,51 @@ Shorewall 4.2.4 RC3
- Perl 5.10 if you wish to use DNS names in your IPv6 config files.
In that case you will also have to install Perl Socket6 support.
Problems Corrected in 4.2.4 RC3
Problems corrected in 4.2.5
1) Previously, when exclusion was used in an entry in
/etc/shorewall/hosts, Shorewall-perl ignored the exclusion when
generating rules for the following OPTIONS in that entry:
1) If exclusion is used to define a zone in /etc/shorewall/hosts and
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
then Shorewall-perl can generated invalid iptables-restore input.
blacklist
maclist
norfc1918
tcpflags
2) A bug in the Perl Cwd module (see
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
Shorewall-perl compiler to fail if it doesn't have at least read
access to its current working directory. 4.2.5 contains a
workaround.
2) Shorewall-perl previously promoted all exclusion in the
/etc/shorewall/hosts file to the zone level. That meant that
all traffic to/from the zone passed through exclusion rules
rather than only the traffic matching a hosts records that
specified exclusion.
3) If 'critical' was specified on an entry in
/etc/shorewall/routestopped, Shorewall6 (Shorewall-perl) would
generate an error.
Example /etc/shorewall/hosts:
4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate incorrect iptables-restore input.
z eth0:192.168.4.0/24
z eth1:10.0.0.0/24!10.0.0.99
5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
Shorewall-perl would generate invalid iptables-restore input.
Traffic entering eth0 from network 192.168.4.0/24 would still
be checked for '!10.0.0.99'.
6) The 'shorewall6 refresh' command runs iptables_restore rather than
ip6tables_restore.
This has been corrected.
7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
'shorewall6 restore' were previously broken.
8) The Debian init script was checking $startup in
/etc/default/shorewall rather than in /etc/default/shorweall6
9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
unconverted Shorewall scripts.
10) When 'detect' is used in the GATEWAY column of
/etc/shorewall/providers, Shorewall-perl now ensures that the
gateway was successfully detected. If the gateway cannot be
detected, action is taken depending on whether the provider is
'optional' or not. If the provider is optional, it's configuration
is skipped; if the provider is not optional, the current operation
is aborted.
11) The command 'shorewall6 debug start' would previously fail with
ERROR: Command "/sbin/ip6tables -t nat -F" Failed
Known Problems Remaiining:
@ -65,100 +84,74 @@ Known Problems Remaiining:
norfc1918
tcpflags
New Features in Shorewall 4.2.4.
New Feature in Shorewall 4.2.5
1) Two new packages are included:
1) A new 'fallback' option is added in
/etc/shorewall/providers. The option works similar to 'balance'
except that the default route is added in the default routing table
(253) rather than in the main table (254).
a) Shorewall6 - analagous to Shorewall-common but handles IPv6
rather than IPv4.
The option can be used by itself or followed by =<number> (e.g,
fallback=2).
b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
rather than IPv4.
When the option is used by itself, a separate (not balanced)
default route is added with a metric equal to the provider's NUMBER.
The packages store their configurations in /etc/shorewall6/ and
/etc/shorewall6-lite/ respectively.
When the option is used with a number, a balanced route is added
with the weight set to the specified number.
The fact that the packages are separate from their IPv4 counterparts
means that you control IPv4 and IPv6 traffic separately (the same
way that Netfilter does). Starting/Stopping the firewall for one
address family has no effect on the other address family.
'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
is only available with Shorewall-perl.
For additional information, see
http://www.shorewall.net/IPV6Support.html.
'fallback' is useful in situations where:
Other features of Shorewall6 are:
- You want all traffic to be sent via one primary provider unless
there is a compelling reason to use a different provider
a) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 'prefix' which is like an IPv4
subnet. A 64-bit prefix allows 4 billion squared individual hosts
(the size of the current IPv4 address space squared).
- If the primary provider is down, then you want to balance the
outgoing traffic among a set of other providers or to a
ordered list of providers.
b) The default zone type is ipv6.
In this case:
c) The currently-supported interface options in Shorewall6 are:
- Do not specify 'balance' on any of the providers.
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
- Specify 'fallback' on those providers that you want to use if
the primary is down.
- Only the primary provider should have a default route in the main
routing table.
blacklist
bridge
dhcp
nosmurfs (traps multicast and Subnet-router anycast addresses
used as the packet source address).
optional
routeback
sourceroute
tcpflags
mss
forward (setting it to 0 makes the router behave like a host
on that interface rather than like a router).
See http://www.shorewall.net/MultiISP.html#Complete for an example
of this option's use.
d) The currently-supported host options in Shorewall6 are:
2) Shorewall-perl now transparently handles the xtables-addon version
of ipp2p. Shorewall detects whether the installed ipp2p is from
patch-o-matic-ng or from xtables-addon and proceeds accordingly.
blacklist
routeback
tcpflags
If the patch-o-matic-ng version is installed:
e) Traffic Shaping is disabled by default. The tcdevices and
tcclasses files are address-family independent so
to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal
should be specified in Shorewall or in Shorewall6 but not in
both. In the configuration where the internal traffic shaper is
not enabled, CLEAR_TC=No should be specified.
a) If no DEST PORT is supplied, the default is "--ipp2p".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--ipp2p".
tcfilters are not available in Shorewall6.
If the xtables-addons version is installed:
f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in
angle brackets. Example:
a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
--kazaa".
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
iptables-restore as "--edk --gnu --dc --kazaa".
#ACTION SOURCE DEST
ACCEPT net:eth0:<2001:19f0:feee::dead:beef:cafe> dmz
Shorewall-perl now also accepts a comma-separated list of options
(e.g., "edk,gnu,dc,kazaa).
Note that this includes MAC addresses as well as IPv6 addresses.
Additionally, Shorewall now looks for modules in /lib/modules/$(uname
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset
The HOSTS column in /etc/shorewall6/hosts also uses this
convention:
This change introduced a new capability ("Old IPP2P Match Syntax")
so if you use a capabilities file, be sure to re-generate the
file(s) after you have installed 4.2.5.
#ZONE HOSTS OPTIONS
chat6 eth0:<2001:19f0:feee::dead:beef:cafe>
Even when an interface is not specified, it is permitted to
enclose addresses in <> to improve readability. Example:
#ACTION SOURCE DEST
ACCEPT net:<2001:1::1> $FW
g) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.
h) The Socket6.pm Perl module is required if you include DNS names
in your Shorewall6 configuration. Note that it is loaded the
first time that a DNS name is encountered so if it is missing,
you get a message similar to this one:
...
Checking /etc/shorewall6/rules...
Can't locate Socket6.pm in @INC (@INC contains: /root ...
teastep@ursa:~/Configs/standalone6$
3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).
Migration Issues.
@ -1307,3 +1300,34 @@ Other changes in Shorewall 4.2.3
shorewall reset chain1 chain2 ...
shorewall-lite reset chain1 chain2 ...
Problems Corrected in 4.2.4
1) Previously, when exclusion was used in an entry in
/etc/shorewall/hosts, Shorewall-perl ignored the exclusion when
generating rules for the following OPTIONS in that entry:
blacklist
maclist
norfc1918
tcpflags
2) Shorewall-perl previously promoted all exclusion in the
/etc/shorewall/hosts file to the zone level. That meant that
all traffic to/from the zone passed through exclusion rules
rather than only the traffic matching a hosts records that
specified exclusion.
Example /etc/shorewall/hosts:
z eth0:192.168.4.0/24
z eth1:10.0.0.0/24!10.0.0.99
Traffic entering eth0 from network 192.168.4.0/24 would still
be checked for '!10.0.0.99'.
This has been corrected.
Other changes in 4.2.4
1) Support for IPv6 was added -- see above.

10
Shorewall-common/shorewall-common.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-common
%define version 4.2.4
%define release 0RC3
%define version 4.2.5
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@ -175,8 +175,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC3
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC2
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net

2
Shorewall-common/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

32
Shorewall-lite/shorewall-lite.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-lite
%define version 4.2.4
%define release 0RC3
%define version 4.2.5
%define release 0base
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name}
@ -98,26 +98,14 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC3
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC2
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC1
* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.4-0base
* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.3-0base
* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.2-0base
* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.1-0base
* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.1-0base
* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.0-0base
* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
- Updated to 2.3.0-0base
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.3-0base
* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.2-0base
* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.1-0base
* Fri Oct 03 2008 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

22
Shorewall-perl/Shorewall/Chains.pm
View File

@ -240,6 +240,9 @@ our %interfacebcasts;
our %interfaceacasts;
our %interfacegateways;
#
# Built-in Chains
#
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
#
@ -278,6 +281,8 @@ our %builtin_target = ( ACCEPT => 1,
#
sub initialize( $ ) {
$family = shift;
%chain_table = ( raw => {} ,
mangle => {},
nat => {},
@ -325,7 +330,6 @@ sub initialize( $ ) {
%interfaceacasts = ();
%interfacegateways = ();
$family = shift;
}
INIT {
@ -1039,17 +1043,17 @@ sub finish_chain_section ($$) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
} else {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
} else {
my $policychainref = $filter_table->{$chainref->{policychain}};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
}
}
}
@ -1063,9 +1067,7 @@ sub finish_chain_section ($$) {
sub finish_section ( $ ) {
my $sections = $_[0];
for my $section ( split /,/, $sections ) {
$sections{$section} = 1;
}
$sections{$_} = 1 for split /,/, $sections;
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
@ -1292,12 +1294,12 @@ sub do_proto( $$$ )
my $options = '';
if ( $ports ) {
if ( $ports ne 'ipp2p' ) {
$options .= " --$_" for split /,/, $ports;
} else {
$options = $capabilities{OLD_IPP2P_MATCH} ? '--ipp2p' : '--edk --kazza --gnu --dc';
}
$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
$output .= "${proto}-m ipp2p${options} ";
} else {
fatal_error "Invalid/Unknown protocol ($proto)"

2
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -940,7 +940,7 @@ sub compiler {
initialize_chain_table;
unless ( $command eq 'check' ) {
create_temp_object( $objectfile );
create_temp_object( $objectfile , $export );
generate_script_1;
}

18
Shorewall-perl/Shorewall/Config.pm
View File

@ -202,6 +202,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
XCONNMARK_MATCH => 'Extended Connmark Match',
RAW_TABLE => 'Raw Table',
IPP2P_MATCH => 'IPP2P Match',
OLD_IPP2P_MATCH => 'Old IPP2P Match Syntax',
CLASSIFY_TARGET => 'CLASSIFY Target',
ENHANCED_REJECT => 'Extended Reject',
KLUDGEFREE => 'Repeat match',
@ -299,13 +300,16 @@ sub initialize( $ ) {
LOGPARMS => '',
TC_SCRIPT => '',
EXPORT => 0,
VERSION => "4.2.4",
VERSION => "4.2.5",
CAPVERSION => 40205 ,
);
#
# From shorewall.conf file
#
if ( $family == F_IPV4 ) {
$globals{PRODUCT} = 'shorewall';
%config =
( STARTUP_ENABLED => undef,
VERBOSITY => undef,
@ -426,6 +430,7 @@ sub initialize( $ ) {
} else {
$globals{SHAREDIR} = '/usr/share/shorewall6';
$globals{CONFDIR} = '/etc/shorewall6';
$globals{PRODUCT} = 'shorewall6';
%config =
( STARTUP_ENABLED => undef,
@ -977,8 +982,8 @@ sub copy1( $ ) {
# Create the temporary object file -- the passed file name is the name of the final file.
# We create a temporary file in the same directory so that we can use rename to finalize it.
#
sub create_temp_object( $ ) {
my $objectfile = $_[0];
sub create_temp_object( $$ ) {
my ( $objectfile, $export ) = @_;
my $suffix;
eval {
@ -993,10 +998,10 @@ sub create_temp_object( $ ) {
fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
fatal_error "$objectfile is a Directory" if -d _;
fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq '';
fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq '';
eval {
$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385
$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
};
@ -1029,7 +1034,6 @@ sub create_temp_aux_config() {
};
die if $@;
}
#
@ -1641,7 +1645,7 @@ sub load_kernel_modules( ) {
my $uname = `uname -r`;
fatal_error "The command 'uname -r' failed" unless $? == 0;
chomp $uname;
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter";
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
}
my @moduledirectories = split /:/, $modulesdir;

33
Shorewall-perl/Shorewall/Providers.pm
View File

@ -219,8 +219,11 @@ sub balance_fallback_route( $$$$ ) {
}
}
sub start_provider( $$ ) {
my ($table, $number ) = @_;
sub start_provider( $$$ ) {
my ($table, $number, $test ) = @_;
emit $test;
push_indent;
emit "#\n# Add Provider $table ($number)\n#";
@ -263,13 +266,9 @@ sub add_a_provider( $$$$$$$$ ) {
fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
$gateway = get_interface_gateway $interface;
emit qq(if interface_is_usable $interface && [ -n "$gateway" ]; then);
push_indent;
start_provider( $table, $number );
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
} else {
emit "if interface_is_usable $interface; then";
push_indent;
start_provider( $table, $number );
start_provider( $table, $number, "if interface_is_usable $interface; then" );
if ( $gateway && $gateway ne '-' ) {
validate_address $gateway, 0;
@ -279,6 +278,7 @@ sub add_a_provider( $$$$$$$$ ) {
emit "run_ip route add default dev $interface table $number";
}
}
my $val = 0;
if ( $mark ne '-' ) {
@ -337,13 +337,14 @@ sub add_a_provider( $$$$$$$$ ) {
warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
} else {
$default = $1;
fatal_error 'fallback must be non-zero' unless $default;
}
} elsif ( $option eq 'fallback' ) {
fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
if ( $config{USE_DEFAULT_RT} ) {
warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
} else {
$default = 1;
$default = -1;
}
} else {
fatal_error "Invalid option ($option)";
@ -409,7 +410,19 @@ sub add_a_provider( $$$$$$$$ ) {
}
balance_default_route $balance , $gateway, $interface, $realm if $balance;
balance_fallback_route $default , $gateway, $interface, $realm if $default;
if ( $default > 0 ) {
balance_fallback_route $default , $gateway, $interface, $realm;
} elsif ( $default ) {
emit '';
if ( $gateway ) {
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
} else {
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
}
}
if ( $loose ) {
if ( $config{DELETE_THEN_ADD} ) {

3
Shorewall-perl/Shorewall/Tunnels.pm
View File

@ -71,10 +71,9 @@ sub setup_tunnels() {
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
}
add_rule $outchainref, "-p udp $dest --dport 500 $options";
if ( $kind eq 'ipsec' ) {
add_rule $inchainref, "-p udp $source --dport 500 $options";
add_rule $outchainref, "-p udp $dest --dport 500 $options";
} else {
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";

2
Shorewall-perl/Shorewall/Zones.pm
View File

@ -93,7 +93,7 @@ use constant { NOTHING => 'NOTHING',
# }
# parents => [ <parents> ] Parents, Children and interfaces are listed by name
# children => [ <children> ]
# interfaces => [ <interfaces> ]
# interfaces => { <interfaces1> => 1, ... }
# bridge => <bridge>
# hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none'
# options => { <option1> => <value1>

2
Shorewall-perl/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

7
Shorewall-perl/prog.functions6
View File

@ -178,13 +178,6 @@ debug_restore_input() {
qt1 $IP6TABLES -t raw -P $chain ACCEPT
done
run_iptables -t nat -F
run_iptables -t nat -X
for chain in PREROUTING POSTROUTING OUTPUT; do
qt1 $IP6TABLES -t nat -P $chain ACCEPT
done
qt1 $IP6TABLES -t filter -F
qt1 $IP6TABLES -t filter -X

12
Shorewall-perl/prog.header
View File

@ -1,6 +1,6 @@
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999-2008 - Tom Eastep (teastep@shorewall.net)
# (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
#
# Options are:
#
@ -245,6 +245,7 @@ reload_kernel_modules() {
moduledirectories=
local moduleloader
moduleloader=modprobe
local uname
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -252,7 +253,10 @@ reload_kernel_modules() {
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
[ -z "$MODULESDIR" ] && \
uname=$(uname -r) && \
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
MODULES=$(lsmod | cut -d ' ' -f1)
for directory in $(split $MODULESDIR); do
@ -280,6 +284,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
moduleloader=modprobe
local savemoduleinfo
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
local uname
if ! qt mywhich modprobe; then
moduleloader=insmod
@ -288,7 +293,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
[ -z "$MODULESDIR" ] && \
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
uname=$(uname -r) && \
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
for directory in $(split $MODULESDIR); do
[ -d $directory ] && moduledirectories="$moduledirectories $directory"

2
Shorewall-perl/prog.header6
View File

@ -1,6 +1,6 @@
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 1999-2008 - Tom Eastep (teastep@shorewall.net)
# (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
#
# Options are:
#

10
Shorewall-perl/shorewall-perl.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-perl
%define version 4.2.4
%define release 0RC3
%define version 4.2.5
%define release 0base
Summary: Shoreline Firewall Perl-based compiler.
Name: %{name}
@ -62,8 +62,10 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING releasenotes.txt
%changelog
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC3
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC2
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net

2
Shorewall-shell/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

2
Shorewall-shell/prog.header
View File

@ -4,7 +4,7 @@
#
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
# (c) 2006 - 2009 - Tom Eastep (teastep@shorewall.net)
#
#
# Options are:

10
Shorewall-shell/shorewall-shell.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-shell
%define version 4.2.4
%define release 0RC3
%define version 4.2.5
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@ -81,8 +81,10 @@ fi
%doc COPYING INSTALL
%changelog
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC3
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC2
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net

2
Shorewall6-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

2
Shorewall6-lite/init.sh
View File

@ -41,7 +41,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
# description: Packet filtering firewall
### BEGIN INIT INFO
# Provides: shorewall6-lite
# Provides: shorewall6
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 5

2
Shorewall6-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

10
Shorewall6-lite/shorewall6-lite.spec
View File

@ -1,6 +1,6 @@
%define name shorewall6-lite
%define version 4.2.4
%define release 0RC3
%define version 4.2.5
%define release 0base
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -89,8 +89,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC3
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC2
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net

2
Shorewall6-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

2
Shorewall6/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

2
Shorewall6/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{

9
Shorewall6/lib.base
View File

@ -33,7 +33,7 @@
#
SHOREWALL_LIBVERSION=40300
SHOREWALL_CAPVERSION=40203
SHOREWALL_CAPVERSION=40205
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@ -716,6 +716,7 @@ determine_capabilities() {
XCONNMARK_MATCH=
RAW_TABLE=
IPP2P_MATCH=
OLD_IPP2P_MATCH=
LENGTH_MATCH=
CLASSIFY_TARGET=
ENHANCED_REJECT=
@ -804,6 +805,10 @@ determine_capabilities() {
fi
qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
if [ -n "$IPP2P_MATCH" ]; then
qt $IP6TABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
fi
qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
qt $IP6TABLES -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes
@ -897,6 +902,7 @@ report_capabilities() {
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE
report_capability "IPP2P Match" $IPP2P_MATCH
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT" $ENHANCED_REJECT
report_capability "Repeat match" $KLUDGEFREE
@ -949,6 +955,7 @@ report_capabilities1() {
report_capability1 XCONNMARK_MATCH
report_capability1 RAW_TABLE
report_capability1 IPP2P_MATCH
report_capability1 OLD_IPP2P_MATCH
report_capability1 CLASSIFY_TARGET
report_capability1 ENHANCED_REJECT
report_capability1 KLUDGEFREE

4
Shorewall6/shorewall6.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6
%define version 4.2.4
%define version 4.2.5
%define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -140,6 +140,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net

2
Shorewall6/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.2.4-RC3
VERSION=4.2.5
usage() # $1 = exit status
{