extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-24 06:29:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update modules for kernel 2.6.20

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-18 02:53:58 +00:00
parent b38c69c61e
commit 2f7c8f9120
3 changed files with 82 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 3.4.2
1) Update modules file for 2.6.20 module madness.
Changes in 3.4.1 Changes in 3.4.1
1) Add rest of proxy arp fix. 1) Add rest of proxy arp fix.

27
Shorewall/modules
View File

@ -22,6 +22,8 @@ loadmodule ip_tables
loadmodule iptable_filter loadmodule iptable_filter
loadmodule iptable_mangle loadmodule iptable_mangle
loadmodule ip_conntrack loadmodule ip_conntrack
loadmodule nf_conntrack
loadmodule nf_conntrack_ipv4
loadmodule iptable_nat loadmodule iptable_nat
loadmodule xt_state loadmodule xt_state
loadmodule xt_tcpudp loadmodule xt_tcpudp
@ -33,12 +35,14 @@ loadmodule xt_connmark
loadmodule xt_CONNMARK loadmodule xt_CONNMARK
loadmodule xt_conntrack loadmodule xt_conntrack
loadmodule xt_dccp loadmodule xt_dccp
loadmodule xt_hashlimit
loadmodule xt_helper loadmodule xt_helper
loadmodule xt_length loadmodule xt_length
loadmodule xt_limit loadmodule xt_limit
loadmodule xt_mac loadmodule xt_mac
loadmodule xt_mark loadmodule xt_mark
loadmodule xt_MARK loadmodule xt_MARK
loadmodule xt_NFLOG
loadmodule xt_NFQUEUE loadmodule xt_NFQUEUE
loadmodule xt_physdev loadmodule xt_physdev
loadmodule xt_pkttype loadmodule xt_pkttype
@ -68,6 +72,29 @@ loadmodule ip_set_ipmap
loadmodule ip_set_macipmap loadmodule ip_set_macipmap
loadmodule ip_set_portmap loadmodule ip_set_portmap
# #
# 2.6.20+ helpers
#
loadmodule nf_conntrack_ftp
loadmodule nf_conntrack_h323
loadmodule nf_conntrack_irc
loadmodule nf_conntrack_netbios_ns
loadmodule nf_conntrack_netlink
loadmodule nf_conntrack_pptp
loadmodule nf_conntrack_proto_gre
loadmodule nf_conntrack_proto_sctp
loadmodule nf_conntrack_sip
loadmodule nf_conntrack_tftp
loadmodule nf_nat_amanda
loadmodule nf_nat_ftp
loadmodule nf_nat_h323
loadmodule nf_nat_irc
loadmodule nf_nat
loadmodule nf_nat_pptp
loadmodule nf_nat_proto_gre
loadmodule nf_nat_sip
loadmodule nf_nat_snmp_basic
loadmodule nf_nat_tftp
#
# Traffic Shaping # Traffic Shaping
# #
loadmodule sch_sfq loadmodule sch_sfq

233
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.4.1 Shorewall 3.4.2
Release Highlights Release Highlights
@ -28,66 +28,10 @@ Release Highlights
/etc/shorewall/route_rules and reverses those changes when /etc/shorewall/route_rules and reverses those changes when
appropriate. appropriate.
Problems Corrected in 3.4.1 Problems corrected in Shorewall 3.4.2
1) The "shorewall-[lite] [re]start and stop" commands reset the 1) The /usr/share/shorewall[-lite]/modules file has been updated for
proxy_arp flag on all interfaces on the system making it impossible kernel 2.6.20.
to control proxy arp manually with Shorewall installed. There was a
partial fix included in 3.4.0; unfortunately, it did not correct the
problem completely. Shorewall 3.4.1 includes the rest of the change
necessarey to only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.
2) If the log-prefix in a log message exceeded 29 characters,
'shorewall restart' fails with 'truncate: command not found' and a
possible segmentation fault in iptables.
3) Log messages specifying a log tag had two spaces appended to the
log prefix. This could cause mysterious "log-prefix truncated"
messages.
4) When nested zones were defined in the /etc/shorewall/zones file and
IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf,
shell error messages ( usually '<zone>: not found' ) during
compilation resulted.
5) Use of CONTINUE policies lead to startup errors with a message
such as the following:
Applying Policies...
iptables v1.3.7: Couldn't load target
`CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open
shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
Failed
6) If there were hosts defined as 'critical' in
/etc/shorewall/routestopped then problems occured in two cases:
i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall
clear' was issued.
ii) On Shorewall or Shorewall lite system when 'start' or 'restart'
failed during execution of the compiled script and there was no saved
configuration ('shorewall[-lite] save' has not been issued).
The symptoms were that the following shell messages were issued and
the 'critical' hosts were not enabled:
/var/lib/shorewall/.start: line nnn: source_ip_range: command not found
/var/lib/shorewall/.start: line nnm: dest_ip_range: command not found
Other changes in 3.4.1
1) Several changes are included which allow testing of experimental
versions of Shorewall on systems with 3.4.1 and later 3.4 releases
installed. Among these changes is the detection and reporting of
"Address Type Match" which may be used in future 3.4 releases.
These changes have no effect on normal Shorewall operation.
Migration Considerations: Migration Considerations:
@ -732,139 +676,64 @@ New Features in Shorewall 3.4:
3.2.9. It is described here for the benefit of those who did not 3.2.9. It is described here for the benefit of those who did not
install that version. install that version.
Problems Corrected in 3.4.0 Beta 1. Problems Corrected in 3.4.1
1) It is now possible to place entries in the IPSEC column of 1) The "shorewall-[lite] [re]start and stop" commands reset the
/etc/shorewall/masq without having specified ipsec zones or hosts. proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. There was a
partial fix included in 3.4.0; unfortunately, it did not correct the
problem completely. Shorewall 3.4.1 includes the rest of the change
necessarey to only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was
[re]started.
2) The /etc/shorewall/masq file is no longer ignored when the 2) If the log-prefix in a log message exceeded 29 characters,
/etc/shorewall/nat file is empty. 'shorewall restart' fails with 'truncate: command not found' and a
possible segmentation fault in iptables.
Problems Corrected in 3.4.0 Beta 2 3) Log messages specifying a log tag had two spaces appended to the
log prefix. This could cause mysterious "log-prefix truncated"
messages.
1) If 'blacklist' was specified on an interface and the 4) When nested zones were defined in the /etc/shorewall/zones file and
/etc/shorewall/blacklist file was empty, then the generated IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf,
firewall script contained a syntax error (the function shell error messages ( usually '<zone>: not found' ) during
load_blacklist() was empty). compilation resulted.
2) If the file /etc/shorewall/init did not exist, then the compiler 5) Use of CONTINUE policies lead to startup errors with a message
would incorrectly copy /usr/share/shorewall/init into the such as the following:
compiled script. /usr/share/shorewall/init is a symbolic link
to the Shorewall init script (usually /etc/init.d/shorewall).
3) To allow Shorewall and Shorewall Lite to coexist on a single Applying Policies...
system, the Shorewall section 5 manpages are no longer included in iptables v1.3.7: Couldn't load target
Shorewall Lite. In addition, the Shorewall Lite manpage for `CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open
"shorewall.conf" has been renamed "shorewall-lite.conf". This shared object file: No such file or directory
has resulted in a similar change to the actual file --
/etc/shorewall-lite/shorewall.conf has been renamed
/etc/shorewall-lite/shorewall-lite.conf.
Problems Corrected in 3.4.0 Beta 3 Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
Failed
1) Shorewall now supports VLAN interfaces with names of the form 6) If there were hosts defined as 'critical' in
vlan@ethX. /etc/shorewall/routestopped then problems occured in two cases:
2) Previously, "ipp2p:udp" was incorrectly rejected in the PROTO i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall
column of an action definition. clear' was issued.
3) Previously, if an invalid DISPOSITION was specified in a record in ii) On Shorewall or Shorewall lite system when 'start' or 'restart'
/etc/shorewall/maclist, then a confusing error message would failed during execution of the compiled script and there was no saved
result. configuration ('shorewall[-lite] save' has not been issued).
Example: The symptoms were that the following shell messages were issued and
the 'critical' hosts were not enabled:
/etc/shorewall/mac: /var/lib/shorewall/.start: line nnn: source_ip_range: command not found
/var/lib/shorewall/.start: line nnm: dest_ip_range: command not found
Other changes in 3.4.1
ALOW:info eth0 02:0C:03:04:05:06 1) Several changes are included which allow testing of experimental
versions of Shorewall on systems with 3.4.1 and later 3.4 releases
installed. Among these changes is the detection and reporting of
"Address Type Match" which may be used in future 3.4 releases.
These changes have no effect on normal Shorewall operation.
Error message:
ERROR: No hosts on ALOW:info have the maclist option specified
The new error message is:
ERROR: Invalid DISPOSITION (ALOW:info) in rule "ALOW:info eth0
02:0C:03:04:05:06"
Problems Corrected in 3.4.0 RC1
1) While most distributions store the Shorewall Lite compiled program
in /var/lib/shorewall/, Shorewall includes features that allow that
location to be changed on a per-distribution basis. The default for
a particular distribution may be determined by the command
"shorewall[-lite] show config".
teastep@lists:~/shorewall/trunk$ shorewall show config
Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
LITEDIR is /var/lib/shorewall-lite
teastep@lists:~/shorewall/trunk$
The LITEDIR setting is the location where the compiled script
should be placed. Unfortunately, the "shorewall [re]load" command
previously used the setting on the administrative system rather
than the one from the firewall system so it was possible for that
command to upload the compiled script to the wrong directory.
To work around this problem, Shorewall now determines the LITEDIR
setting on the firewall system and uses that setting for uploading
the compiled script and its companion .conf file.
2) Previously, IP ranges and ipset names were handled incorrectly in
the last column of the maclist file with the result that run-time
errors occured.
3) The Beta3 manpages are sprinked with .html filenames enclosed in
square brackets.
Example:
...set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf
[shorewall.conf.html](5) and have...
These were generated by <ulink> elements in the XML source which
were added to provide inter-document links in the HTML rendition of
the manpages. <ulink>s were previously ignored by the XML->man
conversion tool; unfortunately, the latest release of the tool
no longer ignores these elements but rather produces the ugly
result shown above.
This problem has been corrected in RC1.
4) Previously, if "INCLUDE <filename>" appeared in
/etc/shorewall/params then run-time errors occurred.
As part of the fix for this problem, the mechanism by which
/etc/shorewall/params is copied into the compiler output was
changed. As a result, extra white space is removed from the text
during the copy operation so code in /etc/shorewall/params should
not depend on precise white-space, even in quoted strings.
Other Changes in 3.4.0 RC 1
1) A macro that handles SixXS has been contributed by Christian
Roessner.
Problems Corrected in 3.4.0 RC2
1) The new SIP and H323 Netfilter helper modules were not being
automatically loaded by Shorewall. They have now been added to the
/usr/share/shorewall[-lite]/modules files.
2) It is quite difficult to code a 'params' file that assigns other
than constant values such that it works correctly with Shorewall
Lite. To work around this problem, a new EXPORTPARAMS option
has been added to shorewall.conf. When EXPORTPARAMS=No, the
'params' file is no longer copied to the compiler output.
With EXPORTPARAMS=No, if you need to set environmental variables on
the firewall system for use by your extension scripts, then do so
in the init extension script.
The default is EXPORTPARAMS=Yes to retain the current behavior.
This fix is brought forward from Shorewall version 3.2.9.
Other Changes in 3.4.0 RC 2
None.