extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Only show ipv4 connections in Shorewall and Shorewall-lite

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9072 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-16 16:54:06 +00:00
parent 907d3bbd17
commit a3fcabc0e8
5 changed files with 52 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-common/changelog.txt
View File

@ -1,3 +1,11 @@
Changes in Shorewall 4.3.4
1) Fix extra 'done'.
2) Fix IPv6 range checking.
3) Improve chain-combining optimizations.
Changes in Shorewall 4.3.3
1) Removed 'ecn'.

4
Shorewall-common/lib.cli
View File

@ -462,7 +462,7 @@ show_command() {
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
echo
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack
[ -f /proc/net/ip_conntrack ] && /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
;;
nat)
[ $# -gt 1 ] && usage 1
@ -714,7 +714,7 @@ dump_command() {
$IPTABLES -t mangle -L $IPT_OPTIONS
heading "Conntrack Table"
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
heading "IP Configuration"
ip -4 addr list

76
Shorewall-common/releasenotes.txt
View File

@ -1,18 +1,17 @@
Shorewall 4.3.3
Shorewall 4.3.4
Notice:
There are two incompatible changes in this release.
It was previously my intention to defer release of IPv6 support until
4.4. That plan was based on an architecture that supported a single
configuration for both IPv4 and IPv6.
1) Rather than square brackets ([]), addresses following an interface
name are now enclosed in angle brackets (<>). This change is made
to avoid confusion in the documentation with the meta characters
'[' and ']'.
Splitting IPv6 support out into separate products has made adding that
support an order of magnitude easier and less invasive. So it is my
current plan to release IPv6 support in a future 4.2.x release.
2) Only those macros that have different contents in IPv6 are now
included in /usr/share/shorewall6/. As a consequence,
/usr/share/shorewall must be added to your CONFIG_PATH in
/etc/shorewall6/shorewall6.conf.
I am therefore opening the testing of the development branch to a wider
audience.
----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S
@ -26,46 +25,37 @@ There are two incompatible changes in this release.
- Perl 5.10 if you wish to use DNS names in your IPv6 config files.
In that case you will also have to install Perl Socket6 support.
Problems Corrected in 4.3.3
Problems Corrected in 4.3.4
1) Previously, if IP6TABLES wasn't specified in shorewall6.conf, it
was set to iptables rather than ip6tables.
1) Previously, an extra 'done' could be emitted in the generated shell
script resulting in a shell syntax error at run-time.
Other changes in 4.3.3
2) In IPv6, ipranges were previously not supported even when the
kernel and ip6tables included support for them.
1) In as much as ip6tables doesn't support the ECN target, the 'ecn'
file has been removed and its processing disabled.
3) An optimization in all Shorewall-perl 4.2 and 4.3 versions could
cause undesirable side effects. The optimization deleted the
<interface>_in and <interface>_fwd chains and moved their rules
to the appropriate rules chain (a <zone>2<xxx> chain).
2) The 'maclist' option is now supported in /etc/shorewall6/interfaces
and in /etc/shorewall6/hosts.
This worked badly in cases where a zone was associated with more
than one interface. Rules could be duplicated or, worse, a rule
that was intended for only input from one of the zone's interfaces
would be applied to input from all of the zone's interfaces.
This problem has been corrected so that an interface-related
chains is only deleted if:
The following IPv6 traffic is exempt from MAC validation:
a) the chain has no rules in it; or
b) the interface is associated with only one zone and that zone is
associated with only that interface in which case it is safe to
move the rules.
a) Multicast.
b) Source or destination is a link-level address (ff80::/10).
Other Changes in 4.3.4
3) Traffic shaping is now enabled in Shorewall6. See below.
4) Shorewall6 and Shorewall6 Lite now check the kernel version during
'start' processing. If the kernel version is less than 2.6.25, a
fatal error is generated.
5) The AllowICMPs macro has been converted to a standard action. This
allows for more efficient processing in the case where ipv6-icmp is
specified as the PROTO in the invocation of AllowICMPs.
e.g.,
AllowICMPs $FW net ipv6-icmp
6) A 'proxyndp' option has been added to
/etc/shorewall6/interfaces. The option is the IPv6 analog of the
'proxyarp' option in /etc/shorewall/interfaces.
7) Source anycast addresses defined by RFC 2526 are now trapped by
'nosmurfs'.
8) Manpages are now included for Shorewall6 and Shorewall6-lite.
1) Shorewall and Shorewall Lite now show only IPv4 connections in the
output of 'shorewall show connections', 'shorewall-lite show
connections', 'shorewall dump' and 'shorewall-lite dump'.
Migration Issues.

8
Shorewall6/lib.cli
View File

@ -404,8 +404,7 @@ show_command() {
[ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
echo
[ -f /proc/net/ip_conntrack ] && file=/proc/net/ip_conntrack || file=/proc/net/nf_conntrack
grep '^ipv6' $file
grep '^ipv6' /proc/net/nf_conntrack
;;
tos|mangle)
[ $# -gt 1 ] && usage 1
@ -640,8 +639,7 @@ dump_command() {
$IP6TABLES -t mangle -L $IPT_OPTIONS
heading "Conntrack Table"
[ -f /proc/net/ip_conntrack ] && file=/proc/net/ip_conntrack || file=/proc/net/nf_conntrack
grep '^ipv6' $file
grep '^ipv6' /proc/net/nf_conntrack
heading "IP Configuration"
ip -6 addr list
@ -665,7 +663,7 @@ dump_command() {
show_proc /proc/version
for directory in /proc/sys/net/ipv6/conf/*; do
for file in proxy_ra proxy_ndp; do
for file in forwarding proxy_ra proxy_ndp; do
show_proc $directory/$file
done
done

12
web/shorewall_index.htm
View File

@ -22,7 +22,7 @@ the
license is included in the section entitled <span
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
target="_self">GNU Free Documentation License</a>".</p>
<p>2008-12-13</p>
<p>2008-12-15</p>
<hr style="width: 100%; height: 2px;">
<h2><a style="color: rgb(255, 0, 0);" target="_top"
href="http://wiki.shorewall.net/wiki/LogoDesignCompetition">Check out
@ -131,15 +131,15 @@ Features page</a>.<br>
</p>
<h3><a name="Releases"></a>Current Shorewall Releases</h3>
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current
Stable Release</span> version is 4.2.2<br>
Stable Release</span> version is 4.2.3<br>
</p>
<ul style="margin-left: 40px;">
<li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.2/releasenotes.txt">release
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.3/releasenotes.txt">release
notes</a> <br>
</li>
<li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.2/known_problems.txt">known
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.3/known_problems.txt">known
problems</a>.
<p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br>
</p>
@ -161,11 +161,11 @@ problems</a>.</li>
</div>
<div style="margin-left: 40px;">
<p>The <span style="font-weight: bold;">current Development Release</span>
version is 4.3.2 which includes support for IPv6<br>
version is 4.3.3 which includes support for IPv6<br>
</p>
<ul>
<li>Here are the<a
href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.2/releasenotes.txt">
href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.3/releasenotes.txt">
release notes</a><br>
</li>
</ul>