Initial 4.3.7 changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9572 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-26 12:42:40 +02:00 · 2009-03-01 19:46:30 +00:00 · 2009-03-01 19:46:30 +00:00 · 2883479e53
commit 2883479e53
parent c6f1cb605d
24 changed files with 82 additions and 114 deletions
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.3.6
+%define version 4.3.7
 %define release 0base
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sun Mar 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.7-0base
 * Fri Feb 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.6-0base
 * Sun Feb 22 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@ -1,7 +1,7 @@
 # Shorewall Makefile to restart if config-files are newer than last restart
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
-RESTOREFILE?=.restore
+RESTOREFILE?=firewall
 all: $(VARDIR)/${RESTOREFILE}
 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
--- a/Shorewall/Shorewall/Compiler.pm
+++ b/Shorewall/Shorewall/Compiler.pm
@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 4.2.6;
+our $VERSION = 4.3.7;
 our $export;
@ -763,7 +763,7 @@ EOF
        run_started_exit
    fi
-    [ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore
+    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 date > ${VARDIR}/restarted
--- a/Shorewall/Shorewall/Config.pm
+++ b/Shorewall/Shorewall/Config.pm
@ -317,7 +317,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.3.6",
+		    VERSION => "4.3.7",
 		    CAPVERSION => 40205 ,
 		  );
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@ -289,9 +289,9 @@ save_config() {
 		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
 			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/.restore ]; then
+			if [ -f ${VARDIR}/firewall ]; then
 			    if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/.restore $RESTOREPATH
+				cp -f ${VARDIR}/firewall $RESTOREPATH
 				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
 				chmod +x $RESTOREPATH
 				echo "   Currently-running Configuration Saved to $RESTOREPATH"
@ -340,7 +340,7 @@ save_config() {
 				echo "   ERROR: Currently-running Configuration Not Saved" >&2
 			    fi
 			else
-			    echo "   ERROR: ${VARDIR}/.restore does not exist" >&2
+			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 			fi
 		    else
 		        echo "Error Saving the Dynamic Rules" >&2
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 4.3.6
+Shorewall 4.3.7
 Shorewall 4.3 is the development thread for Shorewall 4.4 which will be
 released late in 2009.
@ -18,98 +18,50 @@ released late in 2009.
   that cause new connections to use the same provider as an existing
   connection of the same kind.
-4) Shorewall now supports NOTRACK rules (this feature will also be
+----------------------------------------------------------------------------
-   released in Shorewall 4.2.7). 
+                    M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
-Problems corrected in 4.3.6
+1)  The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
    'shorewall6 clear' commands no longer read the 'routestopped'
    file. The 'routestopped' file used is the one that was present at
    the last 'start', 'restart' or 'restore' command.
-1)  The shorewall6 dump command now correctly displays the installed
+----------------------------------------------------------------------------
-    Shorewall version.
+          P R O B L E M S   C O R R E C T E D   I N   4 . 3 . 7
-  
+----------------------------------------------------------------------------
 2)   Previously, the 'start' command set the permission flags on
    /var/lib/shorewall*/state so that it could be read by
    non-root users while the 'stop' command set the permissions such
    that the file could not be read by those users.
-    Beginning with 4.3.6, both commands will secure the file for
+1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
-    root-only access. If you want the file to be world-readable, then
+   and 4.3 versions.
    add 
-    	chmod 744 /var/lib/shorewall*/state
+   The problem:
-    To your /etc/shorewall*/started, /etc/shorewall*/stopped and
+   a) Only occurs when there are more than one non-firewall zone.
-    /etc/shorewall*/restored files.
+   b) Results in the following interface options not being applied to
      forwarded traffic.
-3)  If nets=(<single address>) was specified in
+	blacklist
-    /etc/shorewall/interfaces then the specification was ignored.
+	dhcp
-
+	maclist (when MACLIST_TABLE=filter)
-4)  Shorewall6 compilation failed with this error:
+	norfc1918
-
+	nosmurfs
-    ERROR: Unable to open /usr/share/shorewall6/prog.header6:
+	tcpflags
-           No such file or directory
+ 
-
+----------------------------------------------------------------------------
-Known Problems Remaiining:
+             K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 None.
-New Features in Shorewall 4.3.6
+----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 3 . 6
 ----------------------------------------------------------------------------
-1)  To allow bypassing of connection tracking for certain traffic,
+None.
    /etc/shorewall/notrack and /etc/shorewall6/notrack files have been
    added.
-    Columns in the file are:
+----------------------------------------------------------------------------
-
+                 N E W   F E A T U R E S   IN   4 . 3
-        SOURCE - <zone>[:<interface>][:<address list>]
+----------------------------------------------------------------------------
    	DEST - [<address list>]
    	PROTO - <protocol name or number>
    	DEST PORT(S) - <port number list>
    	SOURCE PORT(S) - <port number list>
    	USER/GROUP - [<user>][:<group>]
            May only be specified if the SOURCE <zone> is $FW.
    Traffic that matches all given criteria will not be subject to
    connection tracking. For such traffic, your policies and/or rules
    must deal with ALL of the packets involved, in both the original
    and the opposite directions. All untracked traffic is passed
    through the relevant rules in the NEW section of the rules
    file. Untracked encapsulated tunnel traffic can be handled by
    entries in /etc/shorewall/tunnels just like tracked traffic
    is. Because every packet of an untracked connection must pass
    through the NEW section rules, it is suggested that rules that deal
    with untracked traffic should appear at the top of the file.
    Example:
    /etc/shorewall/tunnels:
 	#TYPE	ZONE	GATEWAY
 	6to4	net
    /etc/shorewall/notrack
 	#SOURCE		 DEST		PROTO	DEST	SOURCE	USER/
 	#               			PORT(S)	PORT(S)	GROUP
 	net:!192.88.99.1 -		41
    Given that 192.88.99.1 is an anycast address, many hosts can
    respond to outward traffic to that address. The entry in
    /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
    /etc/shorewall/notrack prevents the inbound traffic from creating
    additional useless conntrack entries.
    As part of this change, the 'show' command is enhanced to support a 
    'show raw' command that is an alias for 'show -t raw'. The raw
    table is where NOTRACK rules are created. The dump command is also
    enhanced to display the contents of the raw table.
 New Features in Shorewall 4.3
 1)  The Shorewall packaging has been completely revamped in Shorewall
    4.3.
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -767,9 +767,9 @@ restart_command() {
 	   logger -p kern.err "ERROR:Shorewall restart failed"
       fi
   else
-       [ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found"
+       [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
       [ -n "$nolock" ] || mutex_on
-       $SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart
+       $SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart
       rc=$?
       [ -n "$nolock" ] || mutex_off
   fi
@ -1540,7 +1540,11 @@ export PRODUCT="Shorewall"
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
-FIREWALL=${VARDIR}/.restore
+if [ ! -f ${VARDIR}/firewall ]; then
    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
 fi
 FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
 REFRESHCHAINS=
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.3.6
+%define version 4.3.7
 %define release 0base
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -174,6 +174,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable
 %changelog
 * Sun Mar 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.7-0base
 * Fri Feb 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.6-0base
 * Sun Feb 22 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.3.6
+%define version 4.3.7
 %define release 0base
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@ -89,6 +89,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sun Mar 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.7-0base
 * Fri Feb 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.6-0base
 * Sun Feb 22 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall6/Makefile
+++ b/Shorewall6/Makefile
@ -1,7 +1,7 @@
 # Shorewall6 Makefile to restart if config-files are newer than last restart
 VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
-RESTOREFILE?=.restore
+RESTOREFILE?=firewall
 all: $(VARDIR)/${RESTOREFILE}
 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@ -270,9 +270,9 @@ save_config() {
 		    if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
 			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/.restore ]; then
+			if [ -f ${VARDIR}/firewall ]; then
 			    if $iptables_save > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/.restore $RESTOREPATH
+				cp -f ${VARDIR}/firewall $RESTOREPATH
 				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
 				chmod +x $RESTOREPATH
 				echo "   Currently-running Configuration Saved to $RESTOREPATH"
@ -282,7 +282,7 @@ save_config() {
 				echo "   ERROR: Currently-running Configuration Not Saved" >&2
 			    fi
 			else
-			    echo "   ERROR: ${VARDIR}/.restore does not exist" >&2
+			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 			fi
 		    else
 		        echo "Error Saving the Dynamic Rules" >&2
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@ -744,9 +744,9 @@ restart_command() {
 	   logger -p kern.err "ERROR:Shorewall6 restart failed"
       fi
   else
-       [ -x ${VARDIR}/.restore ] || fatal_error "No ${VARDIR}/.restore file found"
+       [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
       [ -n "$nolock" ] || mutex_on
-       $SHOREWALL_SHELL ${VARDIR}/.restore $debugging restart
+       $SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart
       rc=$?
       [ -n "$nolock" ] || mutex_off
   fi
@ -1524,7 +1524,11 @@ export PRODUCT="Shorewall6"
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
-FIREWALL=${VARDIR}/.restore
+if [ ! -f ${VARDIR}/firewall ]; then
    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
 fi
 FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
 REFRESHCHAINS=
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.3.6
+%define version 4.3.7
 %define release 0base
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -144,6 +144,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
 * Sun Mar 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.7-0base
 * Fri Feb 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.6-0base
 * Sun Feb 22 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.3.6
+VERSION=4.3.7
 usage() # $1 = exit status
 {