From 1fd9e5e95c3c1ffbc425bb493e457c7e8ab75870 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 20 Aug 2012 07:20:21 -0700 Subject: [PATCH 1/2] Compensate for silly RHEL bug Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 8 ++++---- Shorewall/Perl/Shorewall/Config.pm | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 5412ba517..1cd8438ee 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -2235,10 +2235,10 @@ determine_capabilities() { if [ -n "$have_ipset" ]; then if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes OLD_IPSET_MATCH=Yes fi @@ -2247,10 +2247,10 @@ determine_capabilities() { elif qt ipset -N $chain hash:ip family inet6; then IPSET_V5=Yes if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then - qt $g_tool -D $chain -m set --set $chain src -j ACCEPT + qt $g_tool -F $chain IPSET_MATCH=Yes OLD_IPSET_MATCH=Yes fi diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5a2d46206..79e0621e9 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3194,7 +3194,7 @@ sub Old_IPSet_Match() { if ( qt( "$ipset -N $sillyname iphash" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { - qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); + qt1( "$iptables -F $sillyname" ); $result = $capabilities{IPSET_MATCH} = 1; } @@ -3217,7 +3217,7 @@ sub IPSet_Match() { if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) { if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) { - qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" ); + qt1( "$iptables -F $sillyname" ); $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 ); } else { $result = have_capability 'OLD_IPSET_MATCH'; From 8c8af31b7af6fd2b98d66db1c7703cfede664054 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 20 Aug 2012 11:13:39 -0700 Subject: [PATCH 2/2] Update docs for info added/changed in 4.5.7 Signed-off-by: Tom Eastep --- docs/Manpages.xml | 12 ++++++++---- docs/Manpages6.xml | 14 +++++++++----- docs/upgrade_issues.xml | 30 ++++++++++++++++-------------- 3 files changed, 33 insertions(+), 23 deletions(-) diff --git a/docs/Manpages.xml b/docs/Manpages.xml index bf3ac8362..f388b94ad 100644 --- a/docs/Manpages.xml +++ b/docs/Manpages.xml @@ -70,6 +70,11 @@ url="manpages/shorewall-blacklist.html">blacklist - Static blacklisting. + conntrack - Specify + helpers for connections or exempt certain traffic from netfilter + connection tracking. + ecn - Disabling Explicit Congestion Notification @@ -108,7 +113,7 @@ How to map addresses from one net to another. notrack - - Exclude certain traffic from Netfilter connection tracking + Exclude certain traffic from Netfilter connection tracking params - Assign values to shell variables used in other files. @@ -123,9 +128,8 @@ proxyarp - Define Proxy ARP. - rtrules - Define - routing rules. + rtrules - + Define routing rules. routes - (Added in Shorewall 4.4.15) Add additional routes to provider routing diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml index 69ed41ad0..3d9a6d976 100644 --- a/docs/Manpages6.xml +++ b/docs/Manpages6.xml @@ -68,7 +68,11 @@ blacklist - Static - blacklisting. + blacklisting (deprecated) + + conntrack - + Specify helpers for connections or exempt certain traffic from + netfilter connection tracking. exclusion - @@ -92,7 +96,8 @@ - How to define nested zones. notrack - - Exclude certain traffic from Netfilter6 connection tracking + - Exclude certain traffic from Netfilter6 connection tracking + (deprecated) params - Assign values to shell variables used in other files. @@ -108,9 +113,8 @@ url="manpages6/shorewall6-proxyndp.html">proxyndp - Defines Proxy NDP - rtrules - - Define routing rules. + rtrules + - Define routing rules. routes - (Added in Shorewall 4.4.15) Add additional routes to provider routing diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 654185c52..f5d8d16e3 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -122,7 +122,7 @@ (shorewall-lite, and shorewall6-lite) will create a directory under the specified path name to hold state information. - Example: + Example:
VARDIR=/opt/var/ @@ -152,18 +152,18 @@ ?ENDIF
- If they are to be processed only if TC_ENABLED=Internal, then + If they are to be processed only if TC_ENABLED=Internal, then enclose them in
?IF TC_ENABLED eq 'Internal' - ... + ... ?ENDIF.
- + @@ -172,27 +172,29 @@ files are still processed by the compiler. Note that blacklist files may be converted to equivalent blrules - files using shorewall[6] update -b. + files using shorewall[6] update -b. - In Shorewall 4.5.7, the + In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, the conntrack file will be installed along side of an existing notrack file. - When both files exist, a compiler warning is generated: + + + If the 'notrack' file is non-empty, a warning message is issued + during compilation:
- WARNING: Both /etc/shorewall/notrack and - /etc/shorewall/conntrack exist; /etc/shorewall/conntrack is - ignored + WARNING: Non-empty notrack file (...); please move its + contents to the conntrack file
- This warning may be eliminated by moving any entries in the - notrack file to the - conntrack file and removing the - notrack file. + This warning can be eliminated by removing the notrack file (if + it has no entries), or by moving its entries to the conntrack file and + removing the notrack file. Note that the conntrack file is always + populated with rules