From 033d43b01419e640eac022ec899ff7e1cdcf1947 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Oct 2010 14:19:09 -0700 Subject: [PATCH 01/16] Implement undocumented dumpfilter extension file --- Shorewall/Perl/Shorewall/Config.pm | 11 +++++++++ Shorewall/lib.cli | 36 +++++++++++++++++++++++++++++- Shorewall6/lib.cli | 36 +++++++++++++++++++++++++++++- 3 files changed, 81 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 8433159cf..8858fbeb0 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3437,6 +3437,17 @@ sub generate_aux_config() { emit '}'; } + my $fn = find_file 'dumpfilter'; + + if ( -f $fn ) { + emit( '', + 'dump_filter() {' ); + push_indent; + append_file( $fn,1 ) or emit 'cat -'; + pop_indent; + emit '}'; + } + finalize_aux_config; } diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 6cfcefcb5..bf1012997 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -811,10 +811,40 @@ show_command() { esac } +# +# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time, +# then the compiler generated another version of this function and +# embedded it in the firewall.conf file. That version supersedes this +# one. +# +dump_filter() { + local filter + local command + local first + + command=${SHOREWALL_SHELL} + + filter=$(find_file dumpfilter) + + if [ -f $filter ]; then + first=$(head -n1 $filter) + + case $first in + \#!*) + command=${first#\#!} + ;; + esac + + $command $filter + else + cat - + fi +} + # # Dump Command Executor # -dump_command() { +do_dump_command() { local finished finished=0 @@ -1068,6 +1098,10 @@ read_yesno_with_timeout() { fi } +dump_command() { + do_dump_command | dump_filter +} + # # Print a heading with leading and trailing black lines # diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 9294f9c5e..1da8b49bf 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -686,10 +686,40 @@ show_command() { esac } +# +# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time, +# then the compiler generated another version of this function and +# embedded it in the firewall.conf file. That version supersedes this +# one. +# +dump_filter() { + local filter + local command + local first + + command=${SHOREWALL_SHELL} + + filter=$(find_file dumpfilter) + + if [ -f $filter ]; then + first=$(head -n1 $filter) + + case $first in + \#!*) + command=${first#\#!} + ;; + esac + + $command $filter + else + cat - + fi +} + # # Dump Command Executor # -dump_command() { +do_dump_command() { local finished finished=0 @@ -833,6 +863,10 @@ dump_command() { fi } +dump_command() { + do_dump_command | dump_filter +} + # # Restore Comand Executor # From 17860cacd8fd667bd3f5a7ec06b90a411a738988 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Oct 2010 14:35:03 -0700 Subject: [PATCH 02/16] Move dump_command() to a more logical place in the file Signed-off-by: Tom Eastep --- Shorewall/lib.cli | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index bf1012997..5b1275cac 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -990,6 +990,10 @@ do_dump_command() { fi } +dump_command() { + do_dump_command | dump_filter +} + # # Restore Comand Executor # @@ -1098,10 +1102,6 @@ read_yesno_with_timeout() { fi } -dump_command() { - do_dump_command | dump_filter -} - # # Print a heading with leading and trailing black lines # From a3df46443e66aba81c4b151080273a12a4a0ea52 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 9 Oct 2010 09:53:42 -0700 Subject: [PATCH 03/16] Don't specify FORWARD_CLEAR_MARK=Yes in the Universal configuration --- Samples/Universal/shorewall.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Samples/Universal/shorewall.conf b/Samples/Universal/shorewall.conf index 737641019..34f7e68c3 100644 --- a/Samples/Universal/shorewall.conf +++ b/Samples/Universal/shorewall.conf @@ -190,7 +190,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=Yes -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=Yes From 11f2c7772aadc53e67d09f5ef630ba8a3dfd5dde Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 9 Oct 2010 11:28:13 -0700 Subject: [PATCH 04/16] Clear FORWARD_CLEAR_MARK setting in the remaining config files --- Samples/one-interface/shorewall.conf | 2 +- Samples/three-interfaces/shorewall.conf | 2 +- Samples/two-interfaces/shorewall.conf | 2 +- Samples6/Universal/shorewall6.conf | 2 +- Samples6/one-interface/shorewall6.conf | 2 +- Samples6/three-interfaces/shorewall6.conf | 2 +- Samples6/two-interfaces/shorewall6.conf | 2 +- Shorewall/configfiles/shorewall.conf | 2 +- docs/ProxyARP.xml | 74 ++++++++++++----------- 9 files changed, 47 insertions(+), 43 deletions(-) diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 961892a9c..1f6622689 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=No diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index 6aa1bb45a..416a8cd96 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=No diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 9ec4646f9..a67fa4dcf 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -208,7 +208,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=No diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf index bc426d178..00918626f 100644 --- a/Samples6/Universal/shorewall6.conf +++ b/Samples6/Universal/shorewall6.conf @@ -153,7 +153,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=Yes -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=Yes diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index 462f02533..8723366fc 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=No diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index 4b763d7d1..bd64d6007 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=No diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index 25f807bb0..04a862281 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 83ffaf765..aad11f48c 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -190,7 +190,7 @@ LOAD_HELPERS_ONLY=No REQUIRE_INTERFACE=No -FORWARD_CLEAR_MARK=Yes +FORWARD_CLEAR_MARK= COMPLETE=No diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml index c84e1b88c..798c056d6 100644 --- a/docs/ProxyARP.xml +++ b/docs/ProxyARP.xml @@ -34,46 +34,50 @@ - Proxy ARP (RFC 1027) is a way to make a machine physically located on - one network appear to be logically part of a different physical network - connected to the same router/firewall. Typically it allows us to hide a - machine with a public IP address on a private network behind a router, and - still have the machine appear to be on the public network "in front of" the - router. The router "proxys" ARP requests and all network traffic to and from - the hidden machine to make this fiction possible. +
+ Overview - Consider a router with two interface cards, one connected to a public - network PUBNET and one connected to a private network PRIVNET. We want to - hide a server machine on the PRIVNET network but have it accessible from the - PUBNET network. The IP address of the server machine lies in the PUBNET - network, even though we are placing the machine on the PRIVNET network - behind the router. + Proxy ARP (RFC 1027) is a way to make a machine physically located + on one network appear to be logically part of a different physical network + connected to the same router/firewall. Typically it allows us to hide a + machine with a public IP address on a private network behind a router, and + still have the machine appear to be on the public network "in front of" + the router. The router "proxys" ARP requests and all network traffic to + and from the hidden machine to make this fiction possible. - By enabling proxy ARP on the router, any machine on the PUBNET network - that issues an ARP "who has" request for the server's MAC address will get a - proxy ARP reply from the router containing the router's MAC address. This - tells machines on the PUBNET network that they should be sending packets - destined for the server via the router. The router forwards the packets from - the machines on the PUBNET network to the server on the PRIVNET - network. + Consider a router with two interface cards, one connected to a + public network PUBNET and one connected to a private network PRIVNET. We + want to hide a server machine on the PRIVNET network but have it + accessible from the PUBNET network. The IP address of the server machine + lies in the PUBNET network, even though we are placing the machine on the + PRIVNET network behind the router. - Similarly, when the server on the PRIVNET network issues a "who has" - request for any machines on the PUBNET network, the router provides its own - MAC address via proxy ARP. This tells the server to send packets for - machines on the PUBNET network via the router. The router forwards the - packets from the server on the PRIVNET network to the machines on the PUBNET - network. + By enabling proxy ARP on the router, any machine on the PUBNET + network that issues an ARP "who has" request for the server's MAC address + will get a proxy ARP reply from the router containing the router's MAC + address. This tells machines on the PUBNET network that they should be + sending packets destined for the server via the router. The router + forwards the packets from the machines on the PUBNET network to the server + on the PRIVNET network. - The proxy ARP provided by the router allows the server on the - PRIVNETnetwork to appear to be on the PUBNET network. It lets the router - pass ARP requests and other network packets in both directions between the - server machine and the PUBNET network, making the server machine appear to - be connected to the PUBNET network even though it is on the PRIVNET network - hidden behind the router. + Similarly, when the server on the PRIVNET network issues a "who has" + request for any machines on the PUBNET network, the router provides its + own MAC address via proxy ARP. This tells the server to send packets for + machines on the PUBNET network via the router. The router forwards the + packets from the server on the PRIVNET network to the machines on the + PUBNET network. - Before you try to use this technique, I strongly recommend that you - read the Shorewall Setup - Guide. + The proxy ARP provided by the router allows the server on the + PRIVNETnetwork to appear to be on the PUBNET network. It lets the router + pass ARP requests and other network packets in both directions between the + server machine and the PUBNET network, making the server machine appear to + be connected to the PUBNET network even though it is on the PRIVNET + network hidden behind the router. + + Before you try to use this technique, I strongly recommend that you + read the Shorewall Setup + Guide. +
Example From 28e473d9a1d4743b4118e1e609812c81fa2fc026 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 10 Oct 2010 07:44:00 -0700 Subject: [PATCH 05/16] Document change to FORWARD_CLEAR_MARK default Signed-off-by: Tom Eastep --- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 70d6fa1c5..44af3715f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -19,6 +19,8 @@ Changes in Shorewall 4.4.14 9) Delete obsolete options from shorewall.conf. +10) Change value of FORWARD_CLEAR_MARK in *.conf. + Changes in Shorewall 4.4.13 1) Allow zone lists in rules SOURCE and DEST. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index cd3869003..1e78ef405 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -71,6 +71,18 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES They will still be recognized by the rules compiler. +9) All sample .conf files have been changed to specify + + FORWARD_CLEAR_MARK= + + rather than + + FORWARD_CLEAR_MARK=Yes + + That way, systems without MARK support will still be able to + install the sample configurations and FORWARD_CLEAR_MARK will + default to Yes on systems with MARK support. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- From 8041569f14fd548ee3d48a9fbdc408e8543ca2f9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 10 Oct 2010 08:28:38 -0700 Subject: [PATCH 06/16] Revise Vserver article --- docs/Vserver.xml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/Vserver.xml b/docs/Vserver.xml index d1d234391..46ebccdb4 100644 --- a/docs/Vserver.xml +++ b/docs/Vserver.xml @@ -114,7 +114,7 @@ gateway:~#
Vserver Zones - Here is a diagram of the network configuration here at Shorewall.net + This is a diagram of the network configuration here at Shorewall.net during the summer of 2010: @@ -131,6 +131,12 @@ net ipv4 #Internet vpn ipv4 #OpenVPN clients dmz vserver #Vservers + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +net eth1 detect dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp +... + /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS @@ -160,10 +166,16 @@ vpn ipv6 dmz vserver + /etc/shorewall6/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +net sit1 detect tcpflags,forward=1,nosmurfs,routeback +... + /etc/shorewall6/hosts: #ZONE HOST(S) OPTIONS -dmz sit1:[2001:470:e857:1::/64] +dmz sit1:[2001:470:e857:1::/64] Note that I choose to place the Vservers on sit1 (the IPv6 net interface) rather than on eth1. Again, it really doesn't matter From 3ec6185f7279e439f8bd33b9b525ae8777666e51 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 13 Oct 2010 08:42:35 -0700 Subject: [PATCH 07/16] Run update-rc.d on Debian Signed-off-by: Tom Eastep --- Shorewall-init/install.sh | 7 ++----- Shorewall-lite/install.sh | 2 ++ Shorewall/changelog.txt | 2 ++ Shorewall/install.sh | 6 +----- Shorewall/releasenotes.txt | 3 +++ Shorewall6-lite/install.sh | 6 +----- Shorewall6/install.sh | 6 +----- 7 files changed, 12 insertions(+), 20 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 78f52d422..912936500 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -285,11 +285,8 @@ fi if [ -z "$DESTDIR" ]; then if [ -n "$first_install" ]; then if [ -n "$DEBIAN" ]; then - if [ -x /sbin/insserv ]; then - insserv /etc/init.d/shorewall-init - else - ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init - fi + + update-rc.d shorewall-init defaults echo "Shorewall Init will start automatically at boot" else diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index b1cb2f64c..a22d7c661 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -355,6 +355,8 @@ if [ -z "$DESTDIR" ]; then if [ -n "$DEBIAN" ]; then run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite + update-rc.d shorewall-lite defaults + if [ -x /sbin/insserv ]; then insserv /etc/init.d/shorewall-lite else diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 44af3715f..c4f03706c 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -21,6 +21,8 @@ Changes in Shorewall 4.4.14 10) Change value of FORWARD_CLEAR_MARK in *.conf. +11) Use update-rc.d to install init symlinks. + Changes in Shorewall 4.4.13 1) Allow zone lists in rules SOURCE and DEST. diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 7c305e1e1..bc63e068b 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -887,11 +887,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then if [ -n "$DEBIAN" ]; then install_file default.debian /etc/default/shorewall 0644 - if [ -x /sbin/insserv ]; then - insserv /etc/init.d/shorewall - else - ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall - fi + update-rc.d shorewall defaults echo "shorewall will start automatically at boot" echo "Set startup=1 in /etc/default/shorewall to enable" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 1e78ef405..a609dce35 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -83,6 +83,9 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES install the sample configurations and FORWARD_CLEAR_MARK will default to Yes on systems with MARK support. +10) The install scripts in the tarballs now correctly create init + symlinks on recent Ubuntu releases. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 564cc8c52..78e8690db 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -351,11 +351,7 @@ if [ -z "$DESTDIR" ]; then if [ -n "$DEBIAN" ]; then run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite - if [ -x /sbin/insserv ]; then - insserv /etc/init.d/shorewall6-lite - else - ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite - fi + update-rc.d shorewall6-lite defaults echo "Shorewall6 Lite will start automatically at boot" else diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index ff31c2410..0b757a23f 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -738,11 +738,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then if [ -n "$DEBIAN" ]; then run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6 - if [ -x /sbin/insserv ]; then - insserv /etc/init.d/shorewall6 - else - ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6 - fi + update-rc.d shorewall6 defaults echo "shorewall6 will start automatically at boot" echo "Set startup=1 in /etc/default/shorewall6 to enable" From ded852e0eeb7177b8dbb7278947b2fb1fc1845ff Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 19 Oct 2010 08:42:35 -0700 Subject: [PATCH 08/16] Fix compilation warning --- Shorewall/Perl/Shorewall/Config.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 8858fbeb0..ac6b0f602 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -3437,7 +3437,7 @@ sub generate_aux_config() { emit '}'; } - my $fn = find_file 'dumpfilter'; + $fn = find_file 'dumpfilter'; if ( -f $fn ) { emit( '', From 4a85d7f6426ed9a7e693ed797576e563a678d834 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 21 Oct 2010 07:56:33 -0700 Subject: [PATCH 09/16] Correct typo in upgrade issues --- docs/upgrade_issues.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index e1e88efd6..1ba8f2129 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -285,7 +285,7 @@ - Explicitly set LOG_MARTIONS=No to maintain compatibility + Explicitly set LOG_MARTIANS=No to maintain compatibility with prior versions of Shorewall. From 1060b201dd0b3d77e55e46b6b3e0e5e8cce13ce9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 23 Oct 2010 21:40:22 -0700 Subject: [PATCH 10/16] Update version to 4.4.14 --- Shorewall-init/install.sh | 2 +- Shorewall-init/shorewall-init.spec | 4 +++- Shorewall-init/uninstall.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 4 +++- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/install.sh | 2 +- Shorewall/known_problems.txt | 2 +- Shorewall/releasenotes.txt | 1 - Shorewall/shorewall.spec | 4 +++- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 4 +++- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 4 +++- Shorewall6/uninstall.sh | 2 +- 18 files changed, 27 insertions(+), 18 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 912936500..c56278b53 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index 4b20d4483..7094adc89 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init %define version 4.4.14 -%define release 0RC1 +%define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -99,6 +99,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Oct 23 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.14-0base * Wed Oct 06 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.14-0RC1 * Fri Oct 01 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 984cf5e59..8df7469c5 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index a22d7c661..d0deb16d1 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 31c53b685..85a85c23e 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 4.4.14 -%define release 0RC1 +%define release 0base Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -102,6 +102,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Oct 23 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.14-0base * Wed Oct 06 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.14-0RC1 * Fri Oct 01 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index e973ef186..3bd107637 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ac6b0f602..e9b7c0539 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -347,7 +347,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.14-RC1", + VERSION => "4.4.14", CAPVERSION => 40413 , ); diff --git a/Shorewall/install.sh b/Shorewall/install.sh index bc63e068b..30abdec45 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 7f3855224..698434395 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1 +1 @@ -There are no known problems in Shorewall 4.4.14-RC1 +There are no known problems in Shorewall 4.4.14 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a609dce35..92cbb1b45 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,6 +1,5 @@ ---------------------------------------------------------------------------- S H O R E W A L L 4 . 4 . 1 4 - R C 1 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index ccd539d33..1e4fa8ccc 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.14 -%define release 0RC1 +%define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -108,6 +108,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat Oct 23 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.14-0base * Wed Oct 06 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.14-0RC1 * Fri Oct 01 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 058b109f7..5a31b77cb 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index 78e8690db..7886070f6 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 7cf7c8bad..da0e87e13 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite %define version 4.4.14 -%define release 0RC1 +%define release 0base Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -93,6 +93,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Oct 23 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.14-0base * Wed Oct 06 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.14-0RC1 * Fri Oct 01 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 3dd177273..ac1d6de7d 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 0b757a23f..67e90423d 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index d5a698458..5df80eb5f 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 %define version 4.4.14 -%define release 0RC1 +%define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,6 +98,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Oct 23 2010 Tom Eastep tom@shorewall.net +- Updated to 4.4.14-0base * Wed Oct 06 2010 Tom Eastep tom@shorewall.net - Updated to 4.4.14-0RC1 * Fri Oct 01 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index c37fffafa..d806f565a 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.14-RC1 +VERSION=4.4.14 usage() # $1 = exit status { From f2ab0680441b381e1c9e64c18b34d5f73109a6aa Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 26 Oct 2010 06:49:55 -0700 Subject: [PATCH 11/16] Fix split_list() --- Shorewall/Perl/Shorewall/Config.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index e9b7c0539..9dc2f6110 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1475,11 +1475,12 @@ sub split_list1( $$ ) { if ( ( $count = tr/(/(/ ) > 0 ) { fatal_error "Invalid $type list ($list)" if $element || $count > 1; + s/\(//; if ( ( $count = tr/)/)/ ) > 0 ) { fatal_error "Invalid $type list ($list)" if $count > 1; + s/\)//; push @list2 , $_; } else { - s/\(//; $element = $_; } } elsif ( ( $count = tr/)/)/ ) > 0 ) { From 6c90046ab5761af07ecd5cd6b779a47f423b12d5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 26 Oct 2010 06:55:01 -0700 Subject: [PATCH 12/16] Document fix for split_list() --- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c4f03706c..770b45ba2 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -23,6 +23,8 @@ Changes in Shorewall 4.4.14 11) Use update-rc.d to install init symlinks. +12) Fix split_list(). + Changes in Shorewall 4.4.13 1) Allow zone lists in rules SOURCE and DEST. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 92cbb1b45..d891158c7 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -85,6 +85,15 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 10) The install scripts in the tarballs now correctly create init symlinks on recent Ubuntu releases. +11) Previously, this entry in the OPTIONS column of + /etc/shorewall/interfaces incorrectly generated a syntax error. + + nets=(1.2.3.0/24) + + The error was: + + ERROR: Invalid VLSM (24)) + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- From bc406b39bc349f0e3f69c944d71d0377cc32ce61 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Oct 2010 10:26:38 -0700 Subject: [PATCH 13/16] Fix > 10 TC interfaces --- Shorewall/Perl/Shorewall/Tc.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index b5da2c82b..adcf9f172 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1365,7 +1365,7 @@ sub setup_traffic_shaping() { my $tcref = $tcclasses{$device}{$decimalclassnum}; my $mark = $tcref->{mark}; my $devicenumber = in_hexp $devref->{number}; - my $classid = join( ':', in_hexp $devicenumber, $classnum); + my $classid = join( ':', $devicenumber, $classnum); my $rate = "$tcref->{rate}kbit"; my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} ); @@ -1390,15 +1390,15 @@ sub setup_traffic_shaping() { emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" ); if ( $devref->{qdisc} eq 'htb' ) { - emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" ); + emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" ); } else { my $dmax = $tcref->{dmax}; if ( $dmax ) { my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b"; - emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" ); + emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" ); } else { - emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" ); + emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" ); } } From 20bb781874c739c01b798d2db31b6c1d9cfefe96 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Oct 2010 10:33:17 -0700 Subject: [PATCH 14/16] Document fix for 10+ TC interfaces Signed-off-by: Tom Eastep --- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 770b45ba2..b783bd684 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -25,6 +25,8 @@ Changes in Shorewall 4.4.14 12) Fix split_list(). +13) Fix 10+ TC Interfaces. + Changes in Shorewall 4.4.13 1) Allow zone lists in rules SOURCE and DEST. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index d891158c7..0482d7c4a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -94,6 +94,15 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ERROR: Invalid VLSM (24)) +12) Previously, if 10 or more interfaces were configured in Complex + Traffic Shaping (/etc/shorewall/tcdevices), the following + compilation diagnostic was generated: + + Argument "a" isn't numeric in sprintf at + /usr/share/shorewall/Shorewall/Config.pm line 893. + + and an invalid TC configuration was generated. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- From 8758d3a834a4377669517372168c0bdd55eb37c5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Oct 2010 11:24:52 -0700 Subject: [PATCH 15/16] Insure that VERBOSITY=0 when interrogating compiled script version Signed-off-by: Tom Eastep --- Shorewall/lib.common | 6 ++++++ Shorewall6/lib.common | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/Shorewall/lib.common b/Shorewall/lib.common index df3ab723b..698685e42 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -34,6 +34,10 @@ get_script_version() { # $1 = script local version local ifs local digits + local verbosity + + verbosity="$VERBOSITY" + VERBOSITY=0 temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' ) @@ -54,6 +58,8 @@ get_script_version() { # $1 = script fi echo $version + + VERBOSITY="$verbosity" } # diff --git a/Shorewall6/lib.common b/Shorewall6/lib.common index 48936e75b..00b3ddfe4 100644 --- a/Shorewall6/lib.common +++ b/Shorewall6/lib.common @@ -32,6 +32,10 @@ get_script_version() { # $1 = script local version local ifs local digits + local verbosity + + verbosity="$VERBOSITY" + VERBOSITY=0 temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' ) @@ -52,6 +56,8 @@ get_script_version() { # $1 = script fi echo $version + + VERBOSITY="$verbosity" } # From 5cf0cd2c3327ddb247ed9a737b9d1a7c38ede41e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Oct 2010 11:41:38 -0700 Subject: [PATCH 16/16] Document VERBOSITY fix. Signed-off-by: Tom Eastep --- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 3 +++ 2 files changed, 5 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index b783bd684..5087a9def 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -27,6 +27,8 @@ Changes in Shorewall 4.4.14 13) Fix 10+ TC Interfaces. +14) Insure that VERBOSITY=0 when interrogating compiled script's version + Changes in Shorewall 4.4.13 1) Allow zone lists in rules SOURCE and DEST. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 0482d7c4a..7bc73a0e0 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -103,6 +103,9 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES and an invalid TC configuration was generated. +13) If the current environment exported the VERBOSITY variable with a + non-zero value, startup would fail. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------