RC1 and 'detectnets' option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1089 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -3,3 +3,10 @@ Changes since 1.4.9
 1) Implement destination list in masq file.
 
 2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
+
+3) Correct column headings in action.template
+
+4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or
+   ADD_SNAT_ALIASES=Yes.
+
+5) Implement "detectnets" option.

Shorewall/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=1.4.9
+VERSION=1.4.10-RC1
 
 usage() # $1 = exit status
 {

Shorewall/firewall

@@ -564,11 +564,21 @@ determine_hosts() {
 	eval interfaces=\$${zone}_interfaces
 
 	for interface in $interfaces; do
-	    if [ -z "$hosts" ]; then
-		hosts=$interface:0.0.0.0/0
+	    eval options=\$`chain_base ${interface}`_options
+
+	    if list_search detectnets $options; then
+		subnets=`get_routed_subnets $interface`
 	    else
-		hosts="$hosts $interface:0.0.0.0/0"
+		subnets=0.0.0.0/0
 	    fi
+
+	    for subnet in $subnets; do
+		if [ -z "$hosts" ]; then
+		    hosts=$interface:$subnet
+		else
+		    hosts="$hosts $interface:$subnet"
+		fi
+	    done
 	done
 
 	interfaces=
@@ -611,6 +621,8 @@ validate_zone() # $1 = zone
 # Validate the zone names and options in the interfaces file
 #
 validate_interfaces_file() {
+    local wildcard
+
     while read z interface subnet options; do
 	expandv z interface subnet options
 	r="$z $interface $subnet $options"
@@ -628,10 +640,15 @@ validate_interfaces_file() {
 	list_search $interface $all_interfaces && \
 	    startup_error "Duplicate Interface $interface"
 
+	wildcard=
+
 	case $interface in
 	    *:*)
 		startup_error "Invalid Interface Name: $interface"
 		;;
+	    *+*)
+		wildcard=Yes
+		;;
 	esac
 
 	all_interfaces="$all_interfaces $interface"
@@ -646,6 +663,10 @@ validate_interfaces_file() {
 	    case $option in
 		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
 		    ;;
+		detectnets)
+		    [ -n "$wildcard" ] && \
+			startup_error "The \"detectnets\" option may not be used with a wild-card interface"
+		    ;;
 		dropunclean|logunclean)
 		    error_message \
 			"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
@@ -844,7 +865,7 @@ find_broadcasts() {
     for interface in $all_interfaces; do
 	eval bcast=\$`chain_base $interface`_broadcast
 	if [ "x$bcast" = "xdetect" ]; then
-	    addr="`ip addr show $interface 2> /dev/null`"
+	    addr="`ip -f inet addr show $interface 2> /dev/null`"
 	    if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
 		addr="`echo "$addr" | \
 		grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
@@ -4113,7 +4134,7 @@ add_ip_aliases()
 	#
 	# Get all of the lines that contain inet addresses 
 	#
-	ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
+	ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
 	    case $cidr in
 		*/*)
 		    if in_subnet $external $cidr; then
@@ -4817,6 +4838,8 @@ activate_rules()
 	echo "$FW $zone $chain1" >> ${STATEDIR}/chains
 	echo "$zone $FW $chain2" >> ${STATEDIR}/chains
 
+	need_broadcast=
+
 	for host in $source_hosts; do
 	    interface=${host%:*}
 	    subnet=${host#*:}
@@ -4834,8 +4857,16 @@ activate_rules()
 	    [ -n "$complex" ] && \
 		run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
 
+	    if ! list_search $interface $need_broadcast ; then
+		eval options=\$`chain_base ${interface}`_options
+		list_search detectnets $options && need_broadcast="$need_broadcast $interface"
+	    fi
 	done
 
+	for interface in $need_broadcast ; do
+	    run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
+	done
+   
 	for zone1 in $zones; do
 
 	    eval policy=\$${zone}2${zone1}_policy

Shorewall/install.sh

@@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
 
-VERSION=1.4.9
+VERSION=1.4.10-RC1
 
 usage() # $1 = exit status
 {

Shorewall/interfaces

@@ -117,6 +117,13 @@
 #                                      interface. The interface must be up
 #				       when Shorewall is started.
 #
+#			detectnets   - Automatically taylors the zone named
+#				       in the ZONE column to include only those
+#				       hosts routed through the interface.
+#
+#		        WARNING: DO NOT SET THE detectnets OPTION ON YOUR
+#			         INTERNET INTERFACE!
+#
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
 #			space.

Shorewall/masq

@@ -94,7 +94,7 @@
 #
 #		  You want all outgoing traffic from 192.168.1.0/24 through
 #		  eth0 to use source address 206.124.146.176 which is NOT the
-#		  primary address of eth0. You want 206.124.146.176 added to
+#		  primary address of eth0. You want 206.124.146.176 to
 #		  be added to eth0 with name eth0:0.
 #
 #			eth0:0	192.168.1.0/24	206.124.146.176

Shorewall/releasenotes.txt

@@ -2,7 +2,12 @@ This is a minor release of Shorewall.
 
 Problems Corrected since version 1.4.9:
 
-None.
+1. The column descriptions in the action.template file did not match
+   the column headings. That has been corrected.
+
+2. The presence of IPV6 addresses on devices generates error messages
+   during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
+   specified in /etc/shorewall/shorewall.conf.
 
 Migration Issues:
 
@@ -35,3 +40,12 @@ New Features:
    The colon is optionnal when specifying only a user.
 
        Examples : john: / john / :users / john:users	
+
+3) A "detectnets" interface option has been added for entries in
+   /etc/shorewall/interfaces. This option automatically taylors the
+   definition of the zone named in the ZONE column to include just
+   those hosts that have routes through the interface named in the
+   INTERFACE column. The named interface must be UP prior when
+   Shorewall is [re]started.
+
+   WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 1.4.9
-%define release 1
+%define version 1.4.10
+%define release 0RC1
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -109,6 +109,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Tue Jan 22 2004 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.4.10
 * Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.9
 * Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=1.4.9
+VERSION=1.4.10-RC1
 
 usage() # $1 = exit status
 {