extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-03-10 12:28:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial 4.3.7 changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9572 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-03-01 19:46:30 +00:00
parent c6f1cb605d
commit 2883479e53
24 changed files with 82 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

4
Shorewall-lite/shorewall-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-lite
%define version 4.3.6
%define version 4.3.7
%define release 0base
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.7-0base
* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Sun Feb 22 2009 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

2
Shorewall/Makefile
View File

@ -1,7 +1,7 @@
# Shorewall Makefile to restart if config-files are newer than last restart
VARDIR=$(shell /sbin/shorewall show vardir)
CONFDIR=/etc/shorewall
RESTOREFILE?=.restore
RESTOREFILE?=firewall
all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*

4
Shorewall/Shorewall/Compiler.pm
View File

@ -43,7 +43,7 @@ use Shorewall::Raw;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
our @EXPORT_OK = qw( $export );
our $VERSION = 4.2.6;
our $VERSION = 4.3.7;
our $export;
@ -763,7 +763,7 @@ EOF
run_started_exit
fi
[ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore
[ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
fi
date > ${VARDIR}/restarted

2
Shorewall/Shorewall/Config.pm
View File

@ -317,7 +317,7 @@ sub initialize( $ ) {
TC_SCRIPT => '',
EXPORT => 0,
UNTRACKED => 0,
VERSION => "4.3.6",
VERSION => "4.3.7",
CAPVERSION => 40205 ,
);

2
Shorewall/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

6
Shorewall/lib.cli
View File

@ -289,9 +289,9 @@ save_config() {
if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
echo " Dynamic Rules Saved"
if [ -f ${VARDIR}/.restore ]; then
if [ -f ${VARDIR}/firewall ]; then
if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
cp -f ${VARDIR}/.restore $RESTOREPATH
cp -f ${VARDIR}/firewall $RESTOREPATH
mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
@ -340,7 +340,7 @@ save_config() {
echo " ERROR: Currently-running Configuration Not Saved" >&2
fi
else
echo " ERROR: ${VARDIR}/.restore does not exist" >&2
echo " ERROR: ${VARDIR}/firewall does not exist" >&2
fi
else
echo "Error Saving the Dynamic Rules" >&2

116
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.3.6
Shorewall 4.3.7
Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
released late in 2009.
@ -18,98 +18,50 @@ released late in 2009.
that cause new connections to use the same provider as an existing
connection of the same kind.
4) Shorewall now supports NOTRACK rules (this feature will also be
released in Shorewall 4.2.7).
----------------------------------------------------------------------------
M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
Problems corrected in 4.3.6
1) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
'shorewall6 clear' commands no longer read the 'routestopped'
file. The 'routestopped' file used is the one that was present at
the last 'start', 'restart' or 'restore' command.
1) The shorewall6 dump command now correctly displays the installed
Shorewall version.
2) Previously, the 'start' command set the permission flags on
/var/lib/shorewall*/state so that it could be read by
non-root users while the 'stop' command set the permissions such
that the file could not be read by those users.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 7
----------------------------------------------------------------------------
Beginning with 4.3.6, both commands will secure the file for
root-only access. If you want the file to be world-readable, then
add
1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
and 4.3 versions.
chmod 744 /var/lib/shorewall*/state
The problem:
To your /etc/shorewall*/started, /etc/shorewall*/stopped and
/etc/shorewall*/restored files.
a) Only occurs when there are more than one non-firewall zone.
b) Results in the following interface options not being applied to
forwarded traffic.
3) If nets=(<single address>) was specified in
/etc/shorewall/interfaces then the specification was ignored.
4) Shorewall6 compilation failed with this error:
ERROR: Unable to open /usr/share/shorewall6/prog.header6:
No such file or directory
Known Problems Remaiining:
blacklist
dhcp
maclist (when MACLIST_TABLE=filter)
norfc1918
nosmurfs
tcpflags
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
New Features in Shorewall 4.3.6
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 3 . 6
----------------------------------------------------------------------------
1) To allow bypassing of connection tracking for certain traffic,
/etc/shorewall/notrack and /etc/shorewall6/notrack files have been
added.
None.
Columns in the file are:
SOURCE - <zone>[:<interface>][:<address list>]
DEST - [<address list>]
PROTO - <protocol name or number>
DEST PORT(S) - <port number list>
SOURCE PORT(S) - <port number list>
USER/GROUP - [<user>][:<group>]
May only be specified if the SOURCE <zone> is $FW.
Traffic that matches all given criteria will not be subject to
connection tracking. For such traffic, your policies and/or rules
must deal with ALL of the packets involved, in both the original
and the opposite directions. All untracked traffic is passed
through the relevant rules in the NEW section of the rules
file. Untracked encapsulated tunnel traffic can be handled by
entries in /etc/shorewall/tunnels just like tracked traffic
is. Because every packet of an untracked connection must pass
through the NEW section rules, it is suggested that rules that deal
with untracked traffic should appear at the top of the file.
Example:
/etc/shorewall/tunnels:
#TYPE ZONE GATEWAY
6to4 net
/etc/shorewall/notrack
#SOURCE DEST PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
net:!192.88.99.1 - 41
Given that 192.88.99.1 is an anycast address, many hosts can
respond to outward traffic to that address. The entry in
/etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
/etc/shorewall/notrack prevents the inbound traffic from creating
additional useless conntrack entries.
As part of this change, the 'show' command is enhanced to support a
'show raw' command that is an alias for 'show -t raw'. The raw
table is where NOTRACK rules are created. The dump command is also
enhanced to display the contents of the raw table.
New Features in Shorewall 4.3
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3
----------------------------------------------------------------------------
1) The Shorewall packaging has been completely revamped in Shorewall
4.3.

10
Shorewall/shorewall
View File

@ -767,9 +767,9 @@ restart_command() {
logger -p kern.err "ERROR:Shorewall restart failed"
fi
else
[ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found"
[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
[ -n "$nolock" ] || mutex_on
$SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart
$SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart
rc=$?
[ -n "$nolock" ] || mutex_off
fi
@ -1540,7 +1540,11 @@ export PRODUCT="Shorewall"
[ -n "${VARDIR:=/var/lib/shorewall}" ]
FIREWALL=${VARDIR}/.restore
if [ ! -f ${VARDIR}/firewall ]; then
[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
fi
FIREWALL=${VARDIR}/firewall
LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
VERSION_FILE=$SHAREDIR/version
REFRESHCHAINS=

4
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 4.3.6
%define version 4.3.7
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -174,6 +174,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable
%changelog
* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.7-0base
* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Sun Feb 22 2009 Tom Eastep tom@shorewall.net

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

2
Shorewall6-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

2
Shorewall6-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

4
Shorewall6-lite/shorewall6-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6-lite
%define version 4.3.6
%define version 4.3.7
%define release 0base
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@ -89,6 +89,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.7-0base
* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Sun Feb 22 2009 Tom Eastep tom@shorewall.net

2
Shorewall6-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

2
Shorewall6/Makefile
View File

@ -1,7 +1,7 @@
# Shorewall6 Makefile to restart if config-files are newer than last restart
VARDIR=$(shell /sbin/shorewall6 show vardir)
CONFDIR=/etc/shorewall6
RESTOREFILE?=.restore
RESTOREFILE?=firewall
all: $(VARDIR)/${RESTOREFILE}
$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*

2
Shorewall6/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

2
Shorewall6/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{

6
Shorewall6/lib.cli
View File

@ -270,9 +270,9 @@ save_config() {
if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
echo " Dynamic Rules Saved"
if [ -f ${VARDIR}/.restore ]; then
if [ -f ${VARDIR}/firewall ]; then
if $iptables_save > ${VARDIR}/restore-$$; then
cp -f ${VARDIR}/.restore $RESTOREPATH
cp -f ${VARDIR}/firewall $RESTOREPATH
mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
chmod +x $RESTOREPATH
echo " Currently-running Configuration Saved to $RESTOREPATH"
@ -282,7 +282,7 @@ save_config() {
echo " ERROR: Currently-running Configuration Not Saved" >&2
fi
else
echo " ERROR: ${VARDIR}/.restore does not exist" >&2
echo " ERROR: ${VARDIR}/firewall does not exist" >&2
fi
else
echo "Error Saving the Dynamic Rules" >&2

10
Shorewall6/shorewall6
View File

@ -744,9 +744,9 @@ restart_command() {
logger -p kern.err "ERROR:Shorewall6 restart failed"
fi
else
[ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found"
[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
[ -n "$nolock" ] || mutex_on
$SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart
$SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart
rc=$?
[ -n "$nolock" ] || mutex_off
fi
@ -1524,7 +1524,11 @@ export PRODUCT="Shorewall6"
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
FIREWALL=${VARDIR}/.restore
if [ ! -f ${VARDIR}/firewall ]; then
[ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
fi
FIREWALL=${VARDIR}/firewall
LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
VERSION_FILE=$SHAREDIR/version
REFRESHCHAINS=

4
Shorewall6/shorewall6.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6
%define version 4.3.6
%define version 4.3.7
%define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -144,6 +144,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.7-0base
* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
* Sun Feb 22 2009 Tom Eastep tom@shorewall.net

2
Shorewall6/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.3.6
VERSION=4.3.7
usage() # $1 = exit status
{