Merge branch 'master' into 5.2.4

# Conflicts:
#	Shorewall/Perl/Shorewall/Config.pm

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-03-06 13:07:00 -08:00
commit 639dc86e1b
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
14 changed files with 48 additions and 12 deletions

1
.gitignore vendored
View File

@ -1 +0,0 @@
*targetname

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -115,8 +115,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
if ( $command & $RESET_CMD ) {
require_capability 'MARK_ANYWHERE', '"reset"', 's';
print "Resetting....\n";
my $mark = $globals{EVENT_MARK};
#
# The event mark bit must be within 32 bits

View File

@ -9264,7 +9264,7 @@ sub create_netfilter_load( $ ) {
emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) );
emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );

View File

@ -270,8 +270,8 @@ sub generate_script_2() {
);
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
emit( 'chain_exists DOCKER-ISOLATION && dockeriso=Yes' );
emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes' );
emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
}
pop_indent;

View File

@ -5274,7 +5274,7 @@ sub require_mangle_capability( $$$ ) {
if ( $config{MANGLE_ENABLED} ) {
&require_capability( @_ );
} else {
fatal_error "$description " . ( $singular ? 'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{product}.conf";
fatal_error "$description " . ( $singular ? 'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
}
}
@ -6959,9 +6959,7 @@ sub get_configuration( $$$ ) {
}
default 'RESTOREFILE' , 'restore';
default 'DROP_DEFAULT' , 'none';
default 'REJECT_DEFAULT' , 'none';
default 'BLACKLIST_DEFAULT' , 'none';
default 'QUEUE_DEFAULT' , 'none';
@ -7026,9 +7024,8 @@ sub get_configuration( $$$ ) {
require_capability( 'MULTIPORT' , "Shorewall $globals{VERSION}" , 's' );
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
require_mangle_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0;
require_mangle_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{PROVIDER_OFFSET} > 0;
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
if ( $config{WARNOLDCAPVERSION} ) {
if ( $capabilities{CAPVERSION} ) {

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -13,6 +13,10 @@
<surname>Eastep</surname>
</author>
<author>
<surname>J Cliff Armstrong</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
@ -20,6 +24,8 @@
<copyright>
<year>2016</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -57,6 +63,35 @@
<command>restart</command> or <command>reload</command> operation and
restores those rules along with the Shorewall-generated ruleset.</para>
<important>
<para>Shorewall currently doesn't support Docker Swarm mode.</para>
</important>
<warning>
<para>On Debian and Debian-derived systems, <command>systemctl restart
shorewall</command> will lose Docker rules. You can work around this
issue using a method provided by J Cliff Armstrong:</para>
<para>Type as root:</para>
<programlisting><command>systemctl edit shorewall.service</command></programlisting>
<para>This will open the default terminal editor to a blank file in
which you can paste the following:</para>
<programlisting>[Service]
# reset ExecStop
ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop
</programlisting>
<para> Then type <command>systemctl daemon-reload </command>to activate
the changes. This change will survive future updates of the shorewall
package from apt repositories. The override file itself will be saved to
`/etc/systemd/system/shorewall.service.d/`. </para>
</warning>
<para>This support assumes that the default Docker bridge (docker0) is
being used. It is recommended that this bridge be defined to Shorewall in
<ulink

1
docs/docs-targetname Normal file
View File

@ -0,0 +1 @@
5.2.3.7

View File

@ -0,0 +1 @@
5.2.3.7