Update to Beta 4

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6490 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-08 16:27:21 +00:00
parent c03b030025
commit 9ab052f772
14 changed files with 97 additions and 16 deletions

View File

@ -10,6 +10,8 @@ Changes in 4.0.0 Beta 3
5) Add new bridge code. 5) Add new bridge code.
6) Fix bad bug in exclusion.
Changes in 4.0.0 Beta 2 Changes in 4.0.0 Beta 2
1) Fix screwup in get_routed_networks(). 1) Fix screwup in get_routed_networks().

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -21,6 +21,9 @@ Problems corrected in 4.0.0 Beta 4.
attempt to override NONE policies with the result that the compile attempt to override NONE policies with the result that the compile
phase fails (Shorewall-perl only). phase fails (Shorewall-perl only).
2) When exclusion is used in the /etc/shorewall/hosts file, correct
rules are now generated.
Other changes in Shorewall 4.0.0 Beta 3. Other changes in Shorewall 4.0.0 Beta 3.
1) Shorewall-perl has a new implementation of bridging code that works 1) Shorewall-perl has a new implementation of bridging code that works
@ -172,15 +175,83 @@ Migration Considerations:
b) Now that Netfilter has features to deal reasonably with port lists, b) Now that Netfilter has features to deal reasonably with port lists,
I see no reason to duplicate those features in Shorewall. The I see no reason to duplicate those features in Shorewall. The
Bourne-shell compiler goes to great pain (in some cases) to Bourne-shell compiler goes to great pain (in some cases) to
break very long port lists ( > 15 where port ranges in lists count break very long port lists ( > 15 where port ranges in lists
as two ports) into individual rules. In the new compiler, I'm count as two ports) into individual rules. In the new compiler, I'm
avoiding the ugliness required to do that. The new compiler just avoiding the ugliness required to do that. The new compiler just
generates an error if your list is too long. It will also produce generates an error if your list is too long. It will also produce
an error if you insert a port range into a port list and you don't an error if you insert a port range into a port list and you don't
have extended multiport support. have extended multiport support.
c) BRIDGING=Yes is not supported. The kernel code necessary to c) The old BRIDGEING=Yes support has been replaced by new bridge
support this option was removed in Linux kernel 2.6.20. support that uses the reduced 'physdev match' capabilities found
in kernel 2.6.20 and later. This new implementation may be used
where it is desired to control traffic through a bridge.
The new implementation includes the following features:
a) A new "Bridge Port" zone type is defined. Specify 'bport' or
'bport4' in the TYPE column of /etc/shorewall/zones.
Bridge Port zones must be a sub-zone of a regular ipv4 zone
that represents all hosts attached to the bridge.
b) A new 'bridge' option is defined for entries in
/etc/shorewall/interfaces. Bridges should have this option
specified if traffic through the bridge is to be controlled
with rules/policies.
c) Bridge ports must now be defined in
/etc/shorewall/interfaces. The INTERFACE column contains
both the bridge name and the port name separated by a colon
(e.g., "br0:eth1"). No OPTIONS are allowed for bridge
ports. The bridge must be defined before its ports.
Bridge Port (BP) zones have a number of limitations:
a) Each BP zone may only be associated with ports on a single
bridge.
b) BP zones may not be associated with interfaces that are not
bridge ports.
c) You may not have policies or rules where the DEST is a BP
zone but the source is not a BP zone. If you need such
rules, you must use the BP zone's parent zone as the DEST.
Example (Bridge br0 with ports eth1 and tap0):
/etc/shorewall/zones:
fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport
/etc/shorewall/interfaces:
net eth0 - ...
loc br0 - ...
lan eth1
vpn tap0
When using the /etc/shorewall/hosts file to define a bport4
zone, you specify only the port name:
Example:
/etc/shorewall/zones:
fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport
/etc/shorewall/hosts
lan eth1:192.168.2.0/24 ...
d) The BROADCAST column in the interfaces file is essentially unused; d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will if you enter anything in this column but '-' or 'detect', you will

View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 4.0.0 %define version 4.0.0
%define release 0Beta3 %define release 0Beta4
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -252,6 +252,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog %changelog
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net * Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3 - Updated to 4.0.0-0Beta3
* Tue May 15 2007 Tom Eastep tom@shorewall.net * Tue May 15 2007 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-lite %define name shorewall-lite
%define version 4.0.0 %define version 4.0.0
%define release 0Beta3 %define release 0Beta4
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -99,6 +99,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net * Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3 - Updated to 4.0.0-0Beta3
* Tue May 15 2007 Tom Eastep tom@shorewall.net * Tue May 15 2007 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-perl %define name shorewall-perl
%define version 4.0.0 %define version 4.0.0
%define release 0Beta3 %define release 0Beta4
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall Perl-based compiler. Summary: Shoreline Firewall Perl-based compiler.
@ -81,6 +81,8 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING releasenotes.txt %doc COPYING releasenotes.txt
%changelog %changelog
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net * Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3 - Updated to 4.0.0-0Beta3
* Sat May 26 2007 Tom Eastep tom@shorewall.net * Sat May 26 2007 Tom Eastep tom@shorewall.net

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
VERSION=4.0.0-Beta3 VERSION=4.0.0-Beta4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-shell %define name shorewall-shell
%define version 4.0.0 %define version 4.0.0
%define release 0Beta3 %define release 0Beta4
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -64,6 +64,8 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING INSTALL %doc COPYING INSTALL
%changelog %changelog
* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
* Tue Jun 05 2007 Tom Eastep tom@shorewall.net * Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3 - Updated to 4.0.0-0Beta3
* Tue May 15 2007 Tom Eastep tom@shorewall.net * Tue May 15 2007 Tom Eastep tom@shorewall.net