Update for 2.2.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2433 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp2/usr/share/shorewall/bogons

@@ -35,6 +35,7 @@
 #
 # The program was contributed by Andy Wiggin
 #
+
 0.0.0.0/7		logdrop		# Reserved
 2.0.0.0/8		logdrop		# Reserved
 5.0.0.0/8		logdrop		# Reserved
@@ -45,25 +46,21 @@
 36.0.0.0/7		logdrop		# Reserved
 39.0.0.0/8		logdrop		# Reserved
 42.0.0.0/8		logdrop		# Reserved
-49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
+77.0.0.0/8		logdrop		# Reserved
-50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
+78.0.0.0/7		logdrop		# Reserved
-74.0.0.0/7		logdrop		# Reserved
-76.0.0.0/6		logdrop		# Reserved
-89.0.0.0/8		logdrop		# Reserved
-90.0.0.0/7		logdrop		# Reserved
 92.0.0.0/6		logdrop		# Reserved
-96.0.0.0/3		logdrop		# Reserved
+96.0.0.0/4		logdrop		# Reserved
-127.0.0.0/8		logdrop		# Loopback
+112.0.0.0/5		logdrop		# Reserved
+120.0.0.0/6		logdrop		# Reserved
+127.0.0.0/8		logdrop		# Reserved
 173.0.0.0/8		logdrop		# Reserved
 174.0.0.0/7		logdrop		# Reserved
 176.0.0.0/5		logdrop		# Reserved
 184.0.0.0/6		logdrop		# Reserved
-189.0.0.0/8		logdrop		# Reserved
-190.0.0.0/8		logdrop		# Reserved
 197.0.0.0/8		logdrop		# Reserved
-198.18.0.0/15		logdrop		# Reserved
+223.0.0.0/8		logdrop		# Reserved
-223.0.0.0/8		logdrop		# Reserved - Returned by APNIC in 2003
 240.0.0.0/4		logdrop		# Reserved
+
 #
 # End of generated entries
 #

Lrp2/usr/share/shorewall/firewall

@@ -464,11 +464,6 @@ mac_chain() # $1 = interface
    echo $(chain_base $1)_mac
 }
 
-macrecent_target() # $1 - interface
-{
-    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
-}
-
 #
 # Functions for creating dynamic zone rules
 #
@@ -494,6 +489,11 @@ dynamic_chains() #$1 = interface
    echo ${c}_dyni ${c}_dynf ${c}_dyno
 }
 
+macrecent_target() # $1 - interface
+{
+    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
+}
+
 #
 # DNAT Chain from a zone
 #
@@ -2047,9 +2047,10 @@ setup_mac_lists() {
 	if [ -n "$MACLIST_TTL" ]; then
 	    chain1=$(macrecent_target $interface)
 	    createchain $chain1 no
-	    run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
+	    run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN
-	    run_iptables -A $chain1 -m recent --update                        --name $chain -j ACCEPT
+	    run_iptables -A $chain                                                          -j $chain1
-	    run_iptables -A $chain1 -m recent --set                           --name $chain -j ACCEPT
+	    run_iptables -A $chain  -m recent --update                        --name $chain -j RETURN
+	    run_iptables -A $chain  -m recent --set                           --name $chain
 	fi
     done
     #
@@ -2069,8 +2070,7 @@ setup_mac_lists() {
 	    esac
 	fi
 
-	chain=$(mac_chain $interface)
+	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
-	chain1=$(macrecent_target $interface)
 
 	if ! havechain $chain ; then
 	    fatal_error "No hosts on $interface have the maclist option specified"
@@ -2079,10 +2079,10 @@ setup_mac_lists() {
 	macpart=$(mac_match $mac)
 
 	if [ -z "$addresses" ]; then
-	    run_iptables -A $chain $macpart $physdev_part -j $chain1
+	    run_iptables -A $chain $macpart $physdev_part -j RETURN
 	else
 	    for address in $(separate_list $addresses) ; do
-		run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
+		run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
 	    done
 	fi
     done < $TMP_DIR/maclist
@@ -2091,8 +2091,7 @@ setup_mac_lists() {
     # chains
     #
     for interface in $maclist_interfaces; do
-	chain=$(mac_chain $interface)
+	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
-	chain1=$(macrecent_target $interface)
 
 	blob=$(ip link show $interface 2> /dev/null)
 
@@ -2100,12 +2099,13 @@ setup_mac_lists() {
 	    fatal_error "Interface $interface must be up before Shorewall can start"
 
 	ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
+	    address=${address%/*}
 	    if [ -n "$broadcast" ]; then
-		run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
+		run_iptables -A $chain -s $address -d $broadcast -j RETURN
 	    fi
 
-	    run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
+	    run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
-	    run_iptables -A $chain -s $address -d 224.0.0.0/4     -j $chain1
+	    run_iptables -A $chain -s $address -d 224.0.0.0/4     -j RETURN
 	done
 
 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
@@ -6207,7 +6207,7 @@ add_common_rules() {
 
 	    savelogparms="$LOGPARMS"
 
-	    LOGPARMS="$LOGPARMS --log-ip-options"
+	    [ "$TCP_FLAGS_LOG_LEVEL" = ULOG ] || LOGPARMS="$LOGPARMS --log-ip-options"
 
 	    log_rule $TCP_FLAGS_LOG_LEVEL logflags $TCP_FLAGS_DISPOSITION 
 
@@ -7525,8 +7525,11 @@ do_initialize() {
 	case $MACLIST_DISPOSITION in
 	    REJECT)
 		;;
-	    ACCEPT|DROP)
+	    DROP)
-		maclist_target=$MACLIST_DISPOSITION
+		maclist_target=DROP
+		;;
+	    ACCEPT)
+		maclist_target=RETURN
 		;;
 	    *)
 		startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"

Lrp2/usr/share/shorewall/version

@@ -1 +1 @@
-2.2.5
+2.2.6