From 8d5387466c39469785f84ac330c2ba70515be30f Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 9 Feb 2005 18:37:45 +0000 Subject: [PATCH] Deimplement MACLISTNEWONLY git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1953 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 -- Shorewall2/firewall | 6 +----- Shorewall2/releasenotes.txt | 7 ------- Shorewall2/shorewall.conf | 16 ---------------- 4 files changed, 1 insertion(+), 30 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 047b23c6e..4d57c02ed 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -4,8 +4,6 @@ Changes in 2.2.1 2) Simon Matter's patch for umask. -3) Added MACLISTNEWONLY option. - Changes since 2.0.3 1) Fix security vulnerability involving temporary files/directories. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 912e16688..892a9aa76 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1982,7 +1982,6 @@ setup_mac_lists() { local hosts local ipsec local policy= - local state # # Generate the list of interfaces having MAC verification # @@ -2074,11 +2073,10 @@ setup_mac_lists() { ipsec=${hosts%^*} hosts=${hosts#*^} [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy= - [ -n "$MACLISTNEWONLY" ] && state="-m state --state NEW" || state= interface=${hosts%%:*} hosts=${hosts#*:} for chain in $(first_chains $interface) ; do - run_iptables -A $chain $(match_source_hosts $hosts) $state \ + run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \ $policy -j $(mac_chain $interface) done done @@ -7128,7 +7126,6 @@ do_initialize() { LOGTAGONLY= LOGALLNEW= DROPINVALID= - MACLISTNEWONLY= RESTOREBASE= TMP_DIR= @@ -7324,7 +7321,6 @@ do_initialize() { DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) - MACLISTNEWONLY=$(added_param_value_yes MACLISTNEWONLY $MACLISTNEWONLY) # # Strip the files that we use often # diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 14d2f9c15..66e942969 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -10,13 +10,6 @@ Problems corrected in version 2.2.1 files in /var/lib/shorewall to be world-readable. Shorewall now uses umask 0177. ----------------------------------------------------------------------- -New Features in version 2.2.1 - -1) A MACLISTNEWONLY option is added to shorewall.conf. When set to Yes - (the default), then only new incoming connection requests are - checked against the maclist. If set to No, all incoming packets are - checked. ------------------------------------------------------------------------ Issues when migrating from Shorewall 2.0 to Shorewall 2.2: 1) Shorewall configuration files except shorewall.conf are now empty diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index 7fce78dc0..a92cb9d7c 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -633,22 +633,6 @@ ADMINISABSENTMINDED=Yes # BLACKLISTNEWONLY=Yes -# -# MACLIST Behavior -# -# The following variable determines whether the maclist is checked for each -# packet or for each new connection. -# -# MACLISTNEWONLY=Yes Only consult the interface's maclist for new -# connection requests -# -# MACLISTNEWONLY=No Consult maclists for all packets. -# -# If the MACLISTNEWONLY option is not set or is set to the empty value then -# BLACKLISTNEWONLY=Yes is assumed. -# -BLACKLISTNEWONLY=Yes - # # Users with a large blacklist find that "shorwall [re]start" takes a long # time and that new connections are disabled during that time. By setting