diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index ed08228dd..a1ccc818f 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -354,9 +354,9 @@ sub generate_script_3($) {
emit '';
- load_ipsets;
-
if ( $family == F_IPV4 ) {
+ load_ipsets;
+
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
' run_refresh_exit' ,
'else' ,
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 0ab84ff4e..b04691b14 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -2,7 +2,10 @@ Changes in Shorewall 4.4.20.1
1) Corrected FSF address.
-2) Don't modify configfiles/shorewall.conf & configfiles/shorewall6.conf.
+2) Don't modify configfiles/shorewall.conf &
+ configfiles/shorewall6.conf.
+
+3) Change 'plain' default.
Changes in Shorewall 4.4.20 Final
diff --git a/Shorewall/install.sh b/Shorewall/install.sh
index 44c15f864..f2db9fbd2 100755
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -31,7 +31,7 @@ usage() # $1 = exit status
echo " $ME -v"
echo " $ME -h"
echo " $ME -s"
- echo " $ME -p"
+ echo " $ME -f"
exit $1
}
@@ -106,6 +106,7 @@ if [ -z "$INIT" ] ; then
INIT="shorewall"
fi
+PLAIN=Yes
SPARSE=
MANDIR=${MANDIR:-"/usr/share/man"}
[ -n "${LIBEXEC:=/usr/share}" ]
@@ -184,6 +185,10 @@ while [ $finished -eq 0 ]; do
SPARSE=Yes
option=${option#s}
;;
+ a*)
+ PLAIN=
+ option=${option#a}
+ ;;
p*)
PLAIN=Yes
option=${option#p}
@@ -323,14 +328,14 @@ if [ -n "$DESTDIR" ]; then
chmod 755 ${DESTDIR}/etc/logrotate.d
fi
-if [ -n "$PLAIN" ]; then
- mkdir plain/
- cp configfiles/* plain/
- for f in plain/*.plain; do
- mv $f ${f%.plain}
+if [ -z "$PLAIN" ]; then
+ mkdir annotated/
+ cp configfiles/* annotated/
+ for f in annotated/*.annotated; do
+ mv $f ${f%.annotated}
done
- CONFIGFILES=plain
+ CONFIGFILES=annotated
else
CONFIGFILES=configfiles
fi
@@ -826,7 +831,7 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/actions ]; then
echo "Actions file installed as ${DESTDIR}/etc/shorewall/actions"
fi
-rm -rf plain/
+rm -rf annotated/
#
# Install the Makefiles
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 00dad0414..c66b86bc8 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -260,13 +260,13 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
message.
10) The Shorewall and Shorewall6 configuration files (including the
- samples) are now annotated with documentation from the associated
+ samples) may now be annotated with documentation from the associated
manpage.
- The installers for these two packages support a -p (plain)
- option that installs unannotated versions of the packages. Both
+ The installers for these two packages support a -a (annotated)
+ option that installs annotated versions of the packages. Both
versions are available in the configfiles directory within the
- tarball.
+ tarball and in the Sample directories.
11) The STATE subcolumn of the secmarks file now allows the values 'I'
which will match packets in the INVALID state, and 'NI'
diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh
index 83bc6bc17..315becdfb 100755
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -30,6 +30,8 @@ usage() # $1 = exit status
echo "usage: $ME"
echo " $ME -v"
echo " $ME -h"
+ echo " $ME -s"
+ echo " $ME -a"
exit $1
}
@@ -104,6 +106,7 @@ if [ -z "$INIT" ] ; then
INIT="shorewall6"
fi
+PLAIN=Yes
DEBIAN=
CYGWIN=
MAC=
@@ -183,6 +186,10 @@ while [ $finished -eq 0 ]; do
SPARSE=Yes
option=${option#s}
;;
+ a*)
+ PLAIN=
+ option=${option#a}
+ ;;
p*)
PLAIN=Yes
option=${option#p}
@@ -314,28 +321,6 @@ if [ -n "$DESTDIR" ]; then
chmod 755 ${DESTDIR}/etc/logrotate.d
fi
-#
-# Install the config file
-#
-run_install $OWNERSHIP -m 0644 configfiles/shorewall6.conf ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
-
-if [ ! -f ${DESTDIR}/etc/shorewall6/shorewall6.conf ]; then
- run_install $OWNERSHIP -m 0644 configfiles/shorewall6.conf ${DESTDIR}/etc/shorewall6/shorewall6.conf
-
- if [ -n "$DEBIAN" ] && mywhich perl; then
- #
- # Make a Debian-like shorewall6.conf
- #
- perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${DESTDIR}/etc/shorewall6/shorewall6.conf
- fi
-
- echo "Config file installed as ${DESTDIR}/etc/shorewall6/shorewall6.conf"
-fi
-
-
-if [ -n "$ARCHLINUX" ] ; then
- sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6/shorewall6.conf
-fi
delete_file ${DESTDIR}/usr/share/shorewall6/compiler
delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
@@ -387,16 +372,39 @@ echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6/conf
install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall6/actions.std"
-if [ -n "$PLAIN" ]; then
- mkdir plain
- cp configfiles/* plain/
- cd plain
- for f in *.plain; do
- mv -f $f ${f%.plain}
+if [ -z "$PLAIN" ]; then
+ mkdir annotated
+ cp configfiles/* annotated/
+ cd annotated
+ for f in *.annotated; do
+ mv -f $f ${f%.annotated}
done
else
cd configfiles
fi
+#
+# Install the config file
+#
+run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+
+if [ ! -f ${DESTDIR}/etc/shorewall6/shorewall6.conf ]; then
+ run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/etc/shorewall6/shorewall6.conf
+
+ if [ -n "$DEBIAN" ] && mywhich perl; then
+ #
+ # Make a Debian-like shorewall6.conf
+ #
+ perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${DESTDIR}/etc/shorewall6/shorewall6.conf
+ fi
+
+ echo "Config file installed as ${DESTDIR}/etc/shorewall6/shorewall6.conf"
+fi
+
+
+if [ -n "$ARCHLINUX" ] ; then
+ sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6/shorewall6.conf
+fi
+
#
# Install the init file
#
@@ -749,7 +757,7 @@ fi
cd ..
-[ -n "$PLAIN" ] && rm -rf plain/
+rm -rf annotated/
#
# Install the Makefiles
diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli
index b3ef971f0..747026370 100644
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -292,37 +292,6 @@ do_save() {
status=1
fi
- case ${SAVE_IPSETS:=No} in
- [Yy]es)
- case ${IPSET:=ipset} in
- */*)
- if [ ! -x "$IPSET" ]; then
- error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
- IPSET=
- fi
- ;;
- *)
- IPSET="$(mywhich $IPSET)"
- [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
- ;;
- esac
-
- if [ -n "$IPSET" ]; then
- if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then
- #
- # Don't save an 'empty' file
- #
- grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
- fi
- fi
- ;;
- [Nn]o)
- ;;
- *)
- error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
- ;;
- esac
-
return $status
}
@@ -388,34 +357,6 @@ show_routing() {
fi
}
-#
-# 'list dynamic' command executor
-#
-find_sets() {
- local junk
- local setname
-
- ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
-}
-
-list_zone() {
-
- local sets
- local setname
-
- [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
-
- sets=$(find_sets $1)
-
- for setname in $sets; do
- echo "${setname#${1}_}:"
- ipset -L $setname -n | awk 'BEGIN {prnt=0;}; \
- /^Members:/ {prnt=1; next; }; \
- /^Bindings:/ {prnt=0; }; \
- { if (prnt == 1) print " ", $1; };'
- done
-}
-
#
# Show Filter - For Shorewall6-lite, if there was an scfilter file at compile-time,
# then the compiler generated another version of this function and
@@ -731,13 +672,6 @@ show_command() {
fi
if [ $# -gt 0 ]; then
- if [ $1 = dynamic -a $# -gt 1 ]; then
- shift
- [ $# -eq 1 ] || usage 1
- list_zone $1
- return;
- fi
-
[ -n "$table_given" ] || for chain in $*; do
if ! qt $IP6TABLES -t $table -L $chain $g_ipt_options; then
error_message "ERROR: Chain '$chain' is not recognized by $IP6TABLES."
@@ -1000,6 +934,13 @@ restore_command() {
[ -n "$nolock" ] || mutex_on
if [ -x $g_restorepath ]; then
+ if [ -x ${g_restorepath}-ipsets ] ; then
+ echo Restoring Ipsets...
+ $IP6TABLES -F
+ $IP6TABLES -X
+ $SHOREWALL_SHELL ${g_restorepath}-ipsets
+ fi
+
progress_message3 "Restoring Shorewall6..."
run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"
@@ -1144,191 +1085,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
done
}
-#
-# Replace commas with spaces and echo the result
-#
-separate_list() {
- local list
- list="$@"
- local part
- local newlist
- local firstpart
- local lastpart
- local enclosure
-
- case "$list" in
- *,|,*|*,,*|*[[:space:]]*)
- #
- # There's been whining about us not catching embedded white space in
- # comma-separated lists. This is an attempt to snag some of the cases.
- #
- echo "WARNING -- invalid comma-separated list \"$@\"" >&2
- ;;
- *\[*\]*)
- #
- # Where we need to embed comma-separated lists within lists, we enclose them
- # within square brackets.
- #
- firstpart=${list%%\[*}
- lastpart=${list#*\[}
- enclosure=${lastpart%%\]*}
- lastpart=${lastpart#*\]}
- case $lastpart in
- \,*)
- case $firstpart in
- *\,)
- echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
- ;;
- *)
- echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
- ;;
- esac
- ;;
- *)
- case $firstpart in
- *\,)
- echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
- ;;
- *)
- echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
- ;;
- esac
- ;;
- esac
- return
- ;;
- esac
-
- list="$@"
- part="${list%%,*}"
- newlist="$part"
-
- while [ "x$part" != "x$list" ]; do
- list="${list#*,}";
- part="${list%%,*}";
- newlist="$newlist $part";
- done
-
- echo "$newlist"
-}
-
-#
-# add command executor
-#
-add_command() {
- local interface host hostlist zone ipset
- if ! shorewall_is_started ; then
- echo "Shorewall Not Started" >&2
- exit 2
- fi
-
- case "$IPSET" in
- */*)
- ;;
- *)
- [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
- ;;
- esac
- #
- # Normalize host list
- #
- while [ $# -gt 1 ]; do
- interface=${1%%:*}
- host=${1#*:}
- [ "$host" = "$1" ] && host=
-
- if [ -z "$host" ]; then
- hostlist="$hostlist $interface:::/0"
- else
- for h in $(separate_list $host); do
- hostlist="$hostlist $interface:$h"
- done
- fi
-
- shift
- done
-
- zone=$1
-
- for host in $hostlist; do
- interface=${host%:*}
-
- ipset=${zone}_${interface};
-
- if ! qt $IPSET -L $ipset -n; then
- fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
- fi
-
- host=${host#*:}
-
- if $IPSET -A $ipset $host; then
- echo "Host $interface:$host added to zone $zone"
- else
- fatal_error "Unable to add $interface:$host to zone $zone"
- fi
- done
-
-}
-
-#
-# delete command executor
-#
-delete_command() {
- local interface host hostent hostlist zone ipset
- if ! shorewall_is_started ; then
- echo "Shorewall Not Started" >&2
- exit 2;
- fi
-
- case "$IPSET" in
- */*)
- ;;
- *)
- [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
- ;;
- esac
-
- #
- # Normalize host list
- #
- while [ $# -gt 1 ]; do
- interface=${1%%:*}
- host=${1#*:}
- [ "$host" = "$1" ] && host=
-
- if [ -z "$host" ]; then
- hostlist="$hostlist $interface:::/0"
- else
- for h in $(separate_list $host); do
- hostlist="$hostlist $interface:$h"
- done
- fi
-
- shift
- done
-
- zone=$1
-
- for hostent in $hostlist; do
- interface=${hostent%:*}
-
- ipset=${zone}_${interface};
-
- if ! qt $IPSET -L $ipset -n; then
- fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
- fi
-
- host=${hostent#*:}
-
- if $IPSET -D $ipset $host; then
- echo "Host $hostend deleted from zone $zone"
- else
- echo " WARNING: Unable to delete host $hostent to zone $zone" >&2
- fi
- done
-
-}
-
#
# 'hits' commmand executor
#
@@ -1778,8 +1534,10 @@ report_capabilities() {
report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH
- report_capability "Ipset Match" $IPSET_MATCH
- [ -n "$IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+ if [ -n "$IPSET_MATCH" ]; then
+ report_capability "Ipset Match" $IPSET_MATCH
+ [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+ fi
report_capability "CONNMARK Target" $CONNMARK
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH
diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6
index c25aee4fb..ad1624bf5 100755
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -1827,16 +1827,6 @@ case "$COMMAND" in
get_config
allow_command $@
;;
- add)
- get_config
- shift
- add_command $@
- ;;
- delete)
- get_config
- shift
- delete_command $@
- ;;
save)
get_config
[ -n "$g_debugging" ] && set -x
diff --git a/docs/Install.xml b/docs/Install.xml
index 18acc2965..7473f4fde 100644
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -174,18 +174,12 @@
- Beginning with shorewall 4.4.20, the installer also supports a
- (plain) option. Beginning with that release, the
- standard configuration files (including samples) are annotated with the
- contents of the associated manpage. The option
- suppresses that behavior such that the configuration files do not include
- documentation.
-
-
- Setting the PLAIN environmental
- variable to a non-empty value is equivalent to specifying
- .
-
+ Beginning with shorewall 4.4.20.1, the installer also supports a
+ (annotated) option. Beginning with that release, the
+ standard configuration files (including samples) may be annotated with the
+ contents of the associated manpage. The option enables
+ that behavior. The default remains that the configuration files do not
+ include documentation.Executables in /usr and Perl Modules
diff --git a/docs/standalone.xml b/docs/standalone.xml
index 2367b0462..56b32d0b3 100644
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -201,18 +201,17 @@
copies.
- If you are installing Shorewall version 3.4.0 or later then as each
- file is introduced, I suggest that you look at the actual file on your
- system and that you look at the As each file is introduced, I suggest that you look at the actual
+ file on your system and that you look at the man page for that
file. For example, to look at the man page for the
/etc/shorewall/zones file, type man
shorewall-zones at a shell prompt.
- If you are installing a Shorewall version earlier than 3.4.0, then
- as each file is introduced, I suggest that you look through the actual
- file on your system -- each file contains detailed configuration
- instructions and default entries.
+ Note: Beginning with Shorewall 4.4.20.1, there are versions of the
+ sample files that are annotated with the corresponding manpage contents.
+ These files have names ending in '.annotated'. You might choose to look at
+ those files instead.Shorewall views the network where it is running as being composed of
a set of zones. In the one-interface sample
diff --git a/docs/three-interface.xml b/docs/three-interface.xml
index eddac848f..ae4f8ae0b 100644
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -232,18 +232,17 @@
- If you are installing Shorewall version 3.4.0 or later then as each
- file is introduced, I suggest that you look at the actual file on your
- system and that you look at the As each file is introduced, I suggest that you look at the actual
+ file on your system and that you look at the man page for that
file. For example, to look at the man page for the
/etc/shorewall/zones file, type man
shorewall-zones at a shell prompt.
- If you are installing a Shorewall version earlier than 3.4.0, then
- as each file is introduced, I suggest that you look through the actual
- file on your system -- each file contains detailed configuration
- instructions and default entries.
+ Note: Beginning with Shorewall 4.4.20.1, there are versions of the
+ sample files that are annotated with the corresponding manpage contents.
+ These files have names ending in '.annotated'. You might choose to look at
+ those files instead.Shorewall views the network where it is running as being composed of
a set of zones. In the three-interface sample configuration, the following
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index 7b3520195..d643afaee 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -214,18 +214,17 @@
- If you are installing Shorewall version 3.4.0 or later then as each
- file is introduced, I suggest that you look at the actual file on your
- system and that you look at the As each file is introduced, I suggest that you look at the actual
+ file on your system and that you look at the man page for that
file. For example, to look at the man page for the
/etc/shorewall/zones file, type man
shorewall-zones at a shell prompt.
- If you are installing a Shorewall version earlier than 3.4.0, then
- as each file is introduced, I suggest that you look through the actual
- file on your system -- each file contains detailed configuration
- instructions and default entries.
+ Note: Beginning with Shorewall 4.4.20.1, there are versions of the
+ sample files that are annotated with the corresponding manpage contents.
+ These files have names ending in '.annotated'. You might choose to look at
+ those files instead.Shorewall views the network where it is running as being composed of
a set of zones. In the two-interface sample configuration, the following