diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 5ec14c3f3..6b35c7cf4 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,7 @@ +Changes in 4.2.0-RC3 + +1) Fix handling of 'all-' in Shorewall-shell. + Changes in 4.2.0-RC2 1) Don't clear 'balance' when 'loose' and USE_DEFAULT_RT. diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index e28b9bbcf..09787f270 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -1093,6 +1093,11 @@ determine_capabilities() { exit 1 fi + if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then + echo " ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2 + exit 1 + fi + qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 4353542a9..7721f4567 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.2.0 RC 2. +Shorewall 4.2.0 RC 3. ---------------------------------------------------------------------------- R E L E A S E 4 . 2 H I G H L I G H T S @@ -78,19 +78,11 @@ Migration Issues. 7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use ipset-based zones instead. -Problems corrected in Shorewall-perl 4.2.0 RC 2. +Problems corrected in Shorewall-shell 4.2.0-RC3 -1) Shorewall-perl was incorrectly ignoring the 'balance' option in - /etc/shorewall/providers when 'loose' was specified after 'balance' - and USE_DEFAULT_RT=Yes in shorewall.conf. 'balance' is still the - default if 'loose' is not specified. - -2) Route marking was attempted for optional interfaces that were not - up, causing 'shorewall start' ('shorewall-lite start') to fail. - -Other Changes in Shoreall 4.2.0 RC 2 - -1) USE_DEFAULT_RT is no longer marked 'experimental'. +1) In /etc/shorewall/rules, if the DEST column contained 'all-' and + the SOURCE column was not some form of 'all', then $FW was + incorrectly included in the destination. New Features in Shorewall 4.2. diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index 08648ecb3..31844ed9f 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -2752,10 +2752,14 @@ process_rules() return ;; esac - + case $xservers in all|all-) - xservers="$ZONES $FW" + if [ "x$xservers" = xall ]; then + xservers="$ZONES $FW" + elif [ "x$xservers" = xall- ]; then + xservers="$ZONES" + fi process_wildcard_rule "$1" $intrazone return ;;