extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Avoid iptables errors when allow/drop/reject run when Shorewall not started

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3442 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-02-04 17:14:46 +00:00
parent c4271f4578
commit 3482a47db0
3 changed files with 55 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -46,3 +46,7 @@ Changes in 3.1.x.
22) Remove sub-zone exclusion from DNAT/REDIRECT. 22) Remove sub-zone exclusion from DNAT/REDIRECT.
23) Add compiled-program/library versioning scheme. 23) Add compiled-program/library versioning scheme.
24) Apply Steven Springl's help patch.
25) Fix 'allow/drop/reject' while Shorewall not running.

33
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.1.5 Shorewall 3.1.6
Note to users upgrading from Shorewall 2.x or 3.0 Note to users upgrading from Shorewall 2.x or 3.0
@ -27,34 +27,17 @@ Note to users upgrading from Shorewall 2.x or 3.0
Please see the "Migration Considerations" below for additional upgrade Please see the "Migration Considerations" below for additional upgrade
information. information.
Problems Corrected in 3.1.5 Problems Corrected in 3.1.6
1) Compilation has been speeded up by 10-15%. 1) Syntax errors reported in response to "shorewall help <command>" have
been eliminated.
2) Specifying a GATEWAY IP address in /etc/shorewall/providers no longer 2) The 'allow', 'drop' and 'reject' commands no longer produce iptables
causes "shorewall [re]start to fail". errors when executed while Shorewall is not started.
Other changes in 3.1.5 Other changes in 3.1.6
1) Synonyms have been removed from the /sbin/shorewall command set. The None.
'generate' and 'reload' command have been removed. The 'reload' command
has also been removed from the program generated by 'compile'.
2) Scripts compiled without the -e option are now more forgiving when run
on systems with a different Shorewall version installed. If the
installed version meets minimum version requirements, the script will
run -- it no longer requires an exact match.
That having been said, the minimum version required for scripts
compiled with 3.1.5 is 3.1.5. I plan to add new features to the library
(/usr/share/shorewall/functions) in advance of using them in compiled
scripts so that scripts compiled on one version of Shorewall should be
able to run on the next several newer minor releases.
3) Preliminary Support is included for distribution-specific compilation.
See below for details.
4) Compilation has been speeded up by 10-15%.
Migration Considerations: Migration Considerations:

71
Shorewall/shorewall
View File

@ -1763,42 +1763,57 @@ case "$COMMAND" in
drop) drop)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
mutex_on if shorewall_is_started ; then
while [ $# -gt 1 ]; do mutex_on
shift while [ $# -gt 1 ]; do
qt $IPTABLES -D dynamic -s $1 -j reject shift
qt $IPTABLES -D dynamic -s $1 -j DROP qt $IPTABLES -D dynamic -s $1 -j reject
$IPTABLES -A dynamic -s $1 -j DROP || break 1 qt $IPTABLES -D dynamic -s $1 -j DROP
echo "$1 Dropped" $IPTABLES -A dynamic -s $1 -j DROP || break 1
done echo "$1 Dropped"
mutex_off done
mutex_off
else
error_message "ERROR: Shorewall is not started"
exit 2
fi
;; ;;
reject) reject)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
mutex_on if shorewall_is_started ; then
while [ $# -gt 1 ]; do mutex_on
shift while [ $# -gt 1 ]; do
qt $IPTABLES -D dynamic -s $1 -j reject shift
qt $IPTABLES -D dynamic -s $1 -j DROP qt $IPTABLES -D dynamic -s $1 -j reject
$IPTABLES -A dynamic -s $1 -j reject || break 1 qt $IPTABLES -D dynamic -s $1 -j DROP
echo "$1 Rejected" $IPTABLES -A dynamic -s $1 -j reject || break 1
done echo "$1 Rejected"
mutex_off done
mutex_off
else
error_message "ERROR: Shorewall is not started"
exit 2
fi
;; ;;
allow) allow)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
mutex_on if shorewall_is_started ; then
while [ $# -gt 1 ]; do mutex_on
shift while [ $# -gt 1 ]; do
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then shift
echo "$1 Allowed" if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
else echo "$1 Allowed"
echo "$1 Not Dropped or Rejected" else
fi echo "$1 Not Dropped or Rejected"
done fi
mutex_off done
mutex_off
else
error_message "ERROR: Shorewall is not started"
exit 2
fi
;; ;;
save) save)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x