diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index f9e82db44..743e87eb1 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -2,6 +2,10 @@ Changes in 4.1.2 1) Enhanced Operational Logging +2) Fix undefined value when config file missing. + +3) Handle exit status 4 from iptables. + Changes in 4.1.1 1) Fix ULOG/NFLOG output. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index d7101d126..b0fc62115 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -12,7 +12,9 @@ Shorewall 4.1 Patch Release 2. Problems corrected in Shorewall 4.1.2. -None. +1) The iptables utility doesn't retry operations that fail due to + resource shortage. Beginning with this release, Shorewall reruns + iptables when such a failure occurs. Other changes in Shorewall 4.1.2. diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 852c16700..75d20f5e6 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -901,7 +901,10 @@ sub split_line2( $$$ ) { my $columns = $no_pad{$first}; if ( defined $columns ) { - fatal_error "Invalid $first entry" if $columns && @line != $columns; + if ( $columns ) { + fatal_error "Invalid $first entry" if @line != $columns; + } + return @line } @@ -1469,6 +1472,11 @@ sub qt( $ ) { system( "@_ > /dev/null 2>&1" ) == 0; } +sub qt1( $ ) { + 1 while system( "@_ > /dev/null 2>&1" ) == 4; + $? == 0; +} + # # Determine which optional facilities are supported by iptables/netfilter # @@ -1478,77 +1486,77 @@ sub determine_capabilities( $ ) { my $pid = $$; my $sillyname = "fooX$pid"; - $capabilities{NAT_ENABLED} = qt( "$iptables -t nat -L -n" ); - $capabilities{MANGLE_ENABLED} = qt( "$iptables -t mangle -L -n" ); + $capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ); + $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" ); - qt( "$iptables -N $sillyname" ); + qt1( "$iptables -N $sillyname" ); - $capabilities{CONNTRACK_MATCH} = qt( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); + $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); - if ( qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { + if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { $capabilities{MULTIPORT} = 1; - $capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); + $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); } - $capabilities{XMULTIPORT} = qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" ); - $capabilities{POLICY_MATCH} = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" ); + $capabilities{XMULTIPORT} = qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" ); + $capabilities{POLICY_MATCH} = qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" ); - if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) { + if ( qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) { $capabilities{PHYSDEV_MATCH} = 1; - $capabilities{PHYSDEV_BRIDGE} = qt( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" ); + $capabilities{PHYSDEV_BRIDGE} = qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" ); unless ( $capabilities{KLUDGEFREE} ) { - $capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); + $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); } } - if ( qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) { + if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) { $capabilities{IPRANGE_MATCH} = 1; unless ( $capabilities{KLUDGEFREE} ) { - $capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); + $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" ); } } - $capabilities{RECENT_MATCH} = qt( "$iptables -A $sillyname -m recent --update -j ACCEPT" ); - $capabilities{OWNER_MATCH} = qt( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" ); + $capabilities{RECENT_MATCH} = qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" ); + $capabilities{OWNER_MATCH} = qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" ); - if ( qt( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) { + if ( qt1( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) { $capabilities{CONNMARK_MATCH} = 1; - $capabilities{XCONNMARK_MATCH} = qt( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); + $capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); } - $capabilities{IPP2P_MATCH} = qt( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ); - $capabilities{LENGTH_MATCH} = qt( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); - $capabilities{ENHANCED_REJECT} = qt( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); - $capabilities{COMMENTS} = qt( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); + $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ); + $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); + $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" ); + $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); if ( $capabilities{MANGLE_ENABLED} ) { - qt( "$iptables -t mangle -N $sillyname" ); + qt1( "$iptables -t mangle -N $sillyname" ); - if ( qt( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) { + if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) { $capabilities{MARK} = 1; - $capabilities{XMARK} = qt( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); + $capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); } - if ( qt( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) { + if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) { $capabilities{CONNMARK} = 1; - $capabilities{XCONNMARK} = qt( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); + $capabilities{XCONNMARK} = qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); } - $capabilities{CLASSIFY_TARGET} = qt( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); - qt( "$iptables -t mangle -F $sillyname" ); - qt( "$iptables -t mangle -X $sillyname" ); + $capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); + qt1( "$iptables -t mangle -F $sillyname" ); + qt1( "$iptables -t mangle -X $sillyname" ); - $capabilities{MANGLE_FORWARD} = qt( "$iptables -t mangle -L FORWARD -n" ); + $capabilities{MANGLE_FORWARD} = qt1( "$iptables -t mangle -L FORWARD -n" ); } - $capabilities{RAW_TABLE} = qt( "$iptables -t raw -L -n" ); + $capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" ); if ( which 'ipset' ) { qt( "ipset -X $sillyname" ); if ( qt( "ipset -N $sillyname iphash" ) ) { - if ( qt( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { - qt( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); + if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { + qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); $capabilities{IPSET_MATCH} = 1; } @@ -1556,16 +1564,16 @@ sub determine_capabilities( $ ) { } } - $capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); - $capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); - $capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); - $capabilities{HASHLIMIT_MATCH} = qt( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" ); - $capabilities{NFQUEUE_TARGET} = qt( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); + $capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); + $capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); + $capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); + $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" ); + $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); - $capabilities{REALM_MATCH} = qt( "$iptables -A $sillyname -m realm --realm 1" ); + $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); - qt( "$iptables -F $sillyname" ); - qt( "$iptables -X $sillyname" ); + qt1( "$iptables -F $sillyname" ); + qt1( "$iptables -X $sillyname" ); $capabilities{CAPVERSION} = $globals{CAPVERSION}; } diff --git a/Shorewall-perl/prog.functions b/Shorewall-perl/prog.functions index 4fe3bb0dc..c80d0da82 100644 --- a/Shorewall-perl/prog.functions +++ b/Shorewall-perl/prog.functions @@ -103,7 +103,12 @@ startup_error() # $* = Error Message # run_iptables() { - if ! $IPTABLES $@; then + while [ 1 ]; do + $IPTABLES $@ + [ $? -ne 4 ] && break + done + + if [ $? -ne 0 ]; then error_message "ERROR: Command \"$IPTABLES $@\" Failed" stop_firewall exit 2 diff --git a/tools/web/publish b/tools/web/publish index ade770dec..bc98b20b5 100755 --- a/tools/web/publish +++ b/tools/web/publish @@ -1,7 +1,7 @@ #!/bin/sh #STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl -STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl +STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl WEBSITE=/home/teastep/Shorewall/Website HTMFILES=" 6to4.htm