Apply fix from 4.0; always check for state match when getting capabilities

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8711 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 08:03:11 +01:00 · 2008-09-10 23:28:08 +00:00 · 2008-09-10 23:28:08 +00:00 · 97ad105cd9
commit 97ad105cd9
parent 3fefdbd136
4 changed files with 20 additions and 15 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -1,3 +1,7 @@
+Changes in 4.2.0-RC3
+
+1) Fix handling of 'all-' in Shorewall-shell.
+
 Changes in 4.2.0-RC2

 1) Don't clear 'balance' when 'loose' and USE_DEFAULT_RT.
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@ -1093,6 +1093,11 @@ determine_capabilities() {
 	exit 1
    fi

+    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
+	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
+	exit 1
+    fi
+
    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes

    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 4.2.0 RC 2.
+Shorewall 4.2.0 RC 3.

 ----------------------------------------------------------------------------
               R E L E A S E  4 . 2  H I G H L I G H T S
@ -78,19 +78,11 @@ Migration Issues.
 7)  DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
    ipset-based zones instead.

-Problems corrected in Shorewall-perl 4.2.0 RC 2.
+Problems corrected in Shorewall-shell 4.2.0-RC3

-1)  Shorewall-perl was incorrectly ignoring the 'balance' option in
-    /etc/shorewall/providers when 'loose' was specified after 'balance'
-    and USE_DEFAULT_RT=Yes in shorewall.conf. 'balance' is still the
-    default if 'loose' is not specified.
-
-2)  Route marking was attempted for optional interfaces that were not
-    up, causing 'shorewall start' ('shorewall-lite start') to fail. 
-
-Other Changes in Shoreall 4.2.0 RC 2
-
-1)  USE_DEFAULT_RT is no longer marked 'experimental'.
+1)  In /etc/shorewall/rules, if the DEST column contained 'all-' and
+    the SOURCE column was not some form of 'all', then $FW was
+    incorrectly included in the destination.

 New Features in Shorewall 4.2.

--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@ -2752,10 +2752,14 @@ process_rules()
 		return
 		;;
 	esac
-
+		
 	case $xservers in
 	    all|all-)
-		xservers="$ZONES $FW"
+		if [ "x$xservers" = xall ]; then
+		    xservers="$ZONES $FW"
+		elif [ "x$xservers" = xall- ]; then
+		    xservers="$ZONES"
+		fi
 		process_wildcard_rule "$1" $intrazone
 		return
 		;;