From 5104b2fa7c6009ae9af47410b9ed8050f129fce3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 7 Mar 2014 08:37:46 -0800 Subject: [PATCH 1/6] Revert "Merge branch '4.5.21'" This reverts commit 733a17470e2f8600115b8b3fd800634404e82719, reversing changes made to c9d7370fb4af804076c71d950b734cf907b4f867. --- docs/standalone.xml | 6 ------ docs/three-interface.xml | 6 ------ docs/two-interface.xml | 8 +------- 3 files changed, 1 insertion(+), 19 deletions(-) diff --git a/docs/standalone.xml b/docs/standalone.xml index 96dd2aa8c..c7bb78967 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -536,12 +536,6 @@ Web(ACCEPT) net $FW IMAP(ACCEPT)net $FW - - The Shorewall-provided macros assume that the associated service - is using it's standard port and will not work with services listening on - a non-standard port. - - You may also choose to code your rules directly without using the pre-defined macros. This will be necessary in the event that there is not a pre-defined macro that meets your requirements. In that case the general diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 64303f913..37736066e 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -971,12 +971,6 @@ ACCEPT dmz $FW udp 53 This page can be of help if you don't know the protocol and port involved. - - - The Shorewall-provided macros assume that the service is using its - standard port and will not work with a service listening on a - non-standard port. -
diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 23e46da41..5026414a6 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -807,12 +807,6 @@ FTP(DNAT) net loc:10.10.10.1 For url="FTP.html">Shorewall FTP documentation for more information. A couple of important points to keep in mind: - - The Shorewall-provided macros assume that the service is using - its standard port and will not work with a service listening on a - non-standard port. - - You must test the above rule from a client outside of your local network (i.e., don't test from a browser running on computers @@ -1086,7 +1080,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work - Also, I don't recommend using shorewall + Also, I don't recommend using shorewall restart; it is better to create an alternate configuration and test it using the shorewall try command. From 6c20071d3b9bb16217b9e87eba33969c1b226a54 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 7 Mar 2014 09:23:24 -0800 Subject: [PATCH 2/6] Add warnings about macros in the beginner documents Signed-off-by: Tom Eastep --- docs/standalone.xml | 6 ++++++ docs/three-interface.xml | 6 ++++++ docs/two-interface.xml | 8 +++++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/standalone.xml b/docs/standalone.xml index c7bb78967..96dd2aa8c 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -536,6 +536,12 @@ Web(ACCEPT) net $FW IMAP(ACCEPT)net $FW + + The Shorewall-provided macros assume that the associated service + is using it's standard port and will not work with services listening on + a non-standard port. + + You may also choose to code your rules directly without using the pre-defined macros. This will be necessary in the event that there is not a pre-defined macro that meets your requirements. In that case the general diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 37736066e..64303f913 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -971,6 +971,12 @@ ACCEPT dmz $FW udp 53 This page can be of help if you don't know the protocol and port involved. + + + The Shorewall-provided macros assume that the service is using its + standard port and will not work with a service listening on a + non-standard port. +
diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 5026414a6..23e46da41 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -807,6 +807,12 @@ FTP(DNAT) net loc:10.10.10.1 For url="FTP.html">Shorewall FTP documentation for more information. A couple of important points to keep in mind: + + The Shorewall-provided macros assume that the service is using + its standard port and will not work with a service listening on a + non-standard port. + + You must test the above rule from a client outside of your local network (i.e., don't test from a browser running on computers @@ -1080,7 +1086,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work - Also, I don't recommend using shorewall + Also, I don't recommend using shorewall restart; it is better to create an alternate configuration and test it using the shorewall try command. From 39b7527cb61c6c5955514a2e3d0a860c043efc45 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 10 Mar 2014 08:24:38 -0700 Subject: [PATCH 3/6] Include rule priority in delete of generated address route rules. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index ce172f346..7d5141817 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -863,12 +863,12 @@ CEOF if ( $shared ) { emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; emit( "run_ip rule add from $address pref 20000 table $id" , - "echo \"\$IP -$family rule del from $address > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" ); + "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" ); } elsif ( ! $pseudo ) { emit ( "find_interface_addresses $physical | while read address; do" ); emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; emit ( " run_ip rule add from \$address pref 20000 table $id", - " echo \"\$IP -$family rule del from \$address > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing", + " echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing", ' rulenum=$(($rulenum + 1))', 'done' ); From 5981ce59e3911154b47ca5bb4bc745cde049a5a3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 18 Mar 2014 07:28:14 -0700 Subject: [PATCH 4/6] Include -t in debug_restore_input() error message Signed-off-by: Tom Eastep --- Shorewall/Perl/lib.core | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/lib.core b/Shorewall/Perl/lib.core index 670f68960..d09ff3ade 100644 --- a/Shorewall/Perl/lib.core +++ b/Shorewall/Perl/lib.core @@ -532,7 +532,7 @@ debug_restore_input() { eval $g_tool -t $table $first $second $rest if [ $? -ne 0 ]; then - error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed" + error_message "ERROR: Command \"$g_tool -t $table $first $second $rest\" Failed" stop_firewall exit 2 fi From ad8b05d8f54a0d10794907eb5768b3c0da8fdb98 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 10 Mar 2014 08:24:38 -0700 Subject: [PATCH 5/6] Include rule priority in delete of generated address route rules. Signed-off-by: Tom Eastep From 9107259a56af08c991b605413dcbab95bb88c53c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 27 Mar 2014 10:52:40 -0700 Subject: [PATCH 6/6] Correct reporting of the REAP_OPTION capability. Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 8cf19edab..e696a1737 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -2685,7 +2685,7 @@ report_capabilities_unsorted() { report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH - [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' + [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH if [ -n "$IPSET_MATCH" ]; then