From a232826ac1d1da52defd233a7fddaa5f4f637730 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 20 Mar 2004 16:53:24 +0000 Subject: [PATCH] Bring STABLE CVS thread up to date git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1218 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/changelog.txt | 8 ++++++++ STABLE/fallback.sh | 2 +- STABLE/firewall | 20 ++++++++++++-------- STABLE/install.sh | 2 +- STABLE/interfaces | 9 ++++++--- STABLE/releasenotes.txt | 16 ++++++++++++++++ STABLE/shorewall.spec | 8 +++++++- STABLE/uninstall.sh | 2 +- 8 files changed, 52 insertions(+), 15 deletions(-) diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 93351deed..1096e9606 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -27,3 +27,11 @@ Changes since 1.4.9 12) Allow maclist with Atheros cards 13) Fix masq file problem with exclusion in the source column. + +14) Fix silly tcrules file problem. + +15) Fix multiple excluded zones in DNAT/REDIRECT rules. + +16) Correct reporting of POLICY rules. + +17) Implement Sean Mathews's fix for Proxy ARP/IPSEC. diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index cd7fe2157..b067e0894 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.10a +VERSION=1.4.10d usage() # $1 = exit status { diff --git a/STABLE/firewall b/STABLE/firewall index b609e0dff..9a423c396 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -1396,7 +1396,7 @@ setup_proxy_arp() { [ -z "$haveroute" ] && run_ip route replace $address dev $interface - run_arp -Ds $address $external pub + run_arp -i $external -Ds $address $external pub echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp @@ -1730,7 +1730,7 @@ process_tc_rule() esac fi - if [ "x$user" != "x-" ]; then + if [ "x${user:--}" != "x-" ]; then [ "$chain" != tcout ] && \ fatal_error "Invalid use of a user/group: rule \"$rule\"" @@ -2632,7 +2632,7 @@ add_nat_rule() { addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -d $adr -j $chain done - for z in $excludezones; do + for z in $(separate_list $excludezones); do eval hosts=\$${z}_hosts for host in $hosts; do addnatrule $chain -s ${host#*:} -j RETURN @@ -2843,11 +2843,15 @@ add_a_rule() # Complain if the rule is really a policy - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userset" -a "$logtarget" != LOG ]; then - error_message "Warning -- Rule \"$rule\" is a POLICY" - error_message " -- and should be moved to the policy file" - fi - + case $logtarget in + ACCEPT|DROP|REJECT) + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then + error_message "Warning -- Rule \"$rule\" is a POLICY" + error_message " -- and should be moved to the policy file" + fi + ;; + esac + if [ -n "${serv}${servport}" ]; then if [ $command != check ]; then diff --git a/STABLE/install.sh b/STABLE/install.sh index 266ddac0d..f55ec13b2 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.10a +VERSION=1.4.10d usage() # $1 = exit status { diff --git a/STABLE/interfaces b/STABLE/interfaces index b5bc8c799..d60544a0d 100644 --- a/STABLE/interfaces +++ b/STABLE/interfaces @@ -62,10 +62,13 @@ # interface (anti-spoofing measure). This # option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. -# dropunclean - Logs and drops mangled/invalid packets -# +# dropunclean - Logs and drops mangled/invalid +# packets. USE OF THIS OPTION IS +# NOT RECOMMENDED. It will be removed in +# Shorewall 2.0. # logunclean - Logs mangled/invalid packets but does -# not drop them. +# not drop them. This option will be +# removed in Shorewall 2.0. # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index dc3dead77..fc095b45c 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -31,6 +31,22 @@ Problems Corrected since version 1.4.9: the !10.1.0.0/16 is ignored. +9. A startup error occurs if the USER/GROUP column of the tcrules file + is empty. + +10. The following syntax previously produced a startup error: + + DNAT z1!z2,z3 z4:... + + That has been corrected so that multiple excluded zones may now be + listed in a DNAT or REDIRECT rule. + +11. Use of user-defined actions frequently resulted in a WARNING that + the rule was a policy. + +12. Thanks to Sean Mathews, a long-standing problem with proxy ARP and + IPSEC has been corrected!! + Migration Issues: None. diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index 84d04ce63..98973f4ec 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.10a +%define version 1.4.10d %define release 1 %define prefix /usr @@ -109,6 +109,12 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Tue Mar 16 2004 Tom Eastep +- Changed version to 1.4.10d-1 +* Sun Feb 15 2004 Tom Eastep +- Changed version to 1.4.10c-1 +* Thu Feb 12 2004 Tom Eastep +- Changed version to 1.4.10b-1 * Sun Feb 08 2004 Tom Eastep - Changed version to 1.4.10a-1 * Fri Jan 30 2004 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index 86538f9be..32fec8486 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.10a +VERSION=1.4.10d usage() # $1 = exit status {