extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Only show ipv4 connections in Shorewall and Shorewall-lite

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9072 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-16 16:54:06 +00:00
parent 907d3bbd17
commit a3fcabc0e8
5 changed files with 52 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-common/changelog.txt
View File

@ -1,3 +1,11 @@
Changes in Shorewall 4.3.4
1) Fix extra 'done'.
2) Fix IPv6 range checking.
3) Improve chain-combining optimizations.
Changes in Shorewall 4.3.3 Changes in Shorewall 4.3.3
1) Removed 'ecn'. 1) Removed 'ecn'.

4
Shorewall-common/lib.cli
View File

@ -462,7 +462,7 @@ show_command() {
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
echo echo
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack [ -f /proc/net/ip_conntrack ] && /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
;; ;;
nat) nat)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
@ -714,7 +714,7 @@ dump_command() {
$IPTABLES -t mangle -L $IPT_OPTIONS $IPTABLES -t mangle -L $IPT_OPTIONS
heading "Conntrack Table" heading "Conntrack Table"
[ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || cat /proc/net/nf_conntrack [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
heading "IP Configuration" heading "IP Configuration"
ip -4 addr list ip -4 addr list

76
Shorewall-common/releasenotes.txt
View File

@ -1,18 +1,17 @@
Shorewall 4.3.3 Shorewall 4.3.4
Notice: Notice:
There are two incompatible changes in this release. It was previously my intention to defer release of IPv6 support until
4.4. That plan was based on an architecture that supported a single
configuration for both IPv4 and IPv6.
1) Rather than square brackets ([]), addresses following an interface Splitting IPv6 support out into separate products has made adding that
name are now enclosed in angle brackets (<>). This change is made support an order of magnitude easier and less invasive. So it is my
to avoid confusion in the documentation with the meta characters current plan to release IPv6 support in a future 4.2.x release.
'[' and ']'.
2) Only those macros that have different contents in IPv6 are now I am therefore opening the testing of the development branch to a wider
included in /usr/share/shorewall6/. As a consequence, audience.
/usr/share/shorewall must be added to your CONFIG_PATH in
/etc/shorewall6/shorewall6.conf.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S R E L E A S E 4 . 3 H I G H L I G H T S
@ -26,46 +25,37 @@ There are two incompatible changes in this release.
- Perl 5.10 if you wish to use DNS names in your IPv6 config files. - Perl 5.10 if you wish to use DNS names in your IPv6 config files.
In that case you will also have to install Perl Socket6 support. In that case you will also have to install Perl Socket6 support.
Problems Corrected in 4.3.3 Problems Corrected in 4.3.4
1) Previously, if IP6TABLES wasn't specified in shorewall6.conf, it 1) Previously, an extra 'done' could be emitted in the generated shell
was set to iptables rather than ip6tables. script resulting in a shell syntax error at run-time.
Other changes in 4.3.3 2) In IPv6, ipranges were previously not supported even when the
kernel and ip6tables included support for them.
1) In as much as ip6tables doesn't support the ECN target, the 'ecn' 3) An optimization in all Shorewall-perl 4.2 and 4.3 versions could
file has been removed and its processing disabled. cause undesirable side effects. The optimization deleted the
<interface>_in and <interface>_fwd chains and moved their rules
to the appropriate rules chain (a <zone>2<xxx> chain).
2) The 'maclist' option is now supported in /etc/shorewall6/interfaces This worked badly in cases where a zone was associated with more
and in /etc/shorewall6/hosts. than one interface. Rules could be duplicated or, worse, a rule
that was intended for only input from one of the zone's interfaces
would be applied to input from all of the zone's interfaces.
This problem has been corrected so that an interface-related
chains is only deleted if:
The following IPv6 traffic is exempt from MAC validation: a) the chain has no rules in it; or
b) the interface is associated with only one zone and that zone is
associated with only that interface in which case it is safe to
move the rules.
a) Multicast. Other Changes in 4.3.4
b) Source or destination is a link-level address (ff80::/10).
3) Traffic shaping is now enabled in Shorewall6. See below. 1) Shorewall and Shorewall Lite now show only IPv4 connections in the
output of 'shorewall show connections', 'shorewall-lite show
4) Shorewall6 and Shorewall6 Lite now check the kernel version during connections', 'shorewall dump' and 'shorewall-lite dump'.
'start' processing. If the kernel version is less than 2.6.25, a
fatal error is generated.
5) The AllowICMPs macro has been converted to a standard action. This
allows for more efficient processing in the case where ipv6-icmp is
specified as the PROTO in the invocation of AllowICMPs.
e.g.,
AllowICMPs $FW net ipv6-icmp
6) A 'proxyndp' option has been added to
/etc/shorewall6/interfaces. The option is the IPv6 analog of the
'proxyarp' option in /etc/shorewall/interfaces.
7) Source anycast addresses defined by RFC 2526 are now trapped by
'nosmurfs'.
8) Manpages are now included for Shorewall6 and Shorewall6-lite.
Migration Issues. Migration Issues.

8
Shorewall6/lib.cli
View File

@ -404,8 +404,7 @@ show_command() {
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Connections at $HOSTNAME - $(date)" echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
echo echo
[ -f /proc/net/ip_conntrack ] && file=/proc/net/ip_conntrack || file=/proc/net/nf_conntrack grep '^ipv6' /proc/net/nf_conntrack
grep '^ipv6' $file
;; ;;
tos|mangle) tos|mangle)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
@ -640,8 +639,7 @@ dump_command() {
$IP6TABLES -t mangle -L $IPT_OPTIONS $IP6TABLES -t mangle -L $IPT_OPTIONS
heading "Conntrack Table" heading "Conntrack Table"
[ -f /proc/net/ip_conntrack ] && file=/proc/net/ip_conntrack || file=/proc/net/nf_conntrack grep '^ipv6' /proc/net/nf_conntrack
grep '^ipv6' $file
heading "IP Configuration" heading "IP Configuration"
ip -6 addr list ip -6 addr list
@ -665,7 +663,7 @@ dump_command() {
show_proc /proc/version show_proc /proc/version
for directory in /proc/sys/net/ipv6/conf/*; do for directory in /proc/sys/net/ipv6/conf/*; do
for file in proxy_ra proxy_ndp; do for file in forwarding proxy_ra proxy_ndp; do
show_proc $directory/$file show_proc $directory/$file
done done
done done

12
web/shorewall_index.htm
View File

@ -22,7 +22,7 @@ the
license is included in the section entitled <span license is included in the section entitled <span
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm" style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
target="_self">GNU Free Documentation License</a>".</p> target="_self">GNU Free Documentation License</a>".</p>
<p>2008-12-13</p> <p>2008-12-15</p>
<hr style="width: 100%; height: 2px;"> <hr style="width: 100%; height: 2px;">
<h2><a style="color: rgb(255, 0, 0);" target="_top" <h2><a style="color: rgb(255, 0, 0);" target="_top"
href="http://wiki.shorewall.net/wiki/LogoDesignCompetition">Check out href="http://wiki.shorewall.net/wiki/LogoDesignCompetition">Check out
@ -131,15 +131,15 @@ Features page</a>.<br>
</p> </p>
<h3><a name="Releases"></a>Current Shorewall Releases</h3> <h3><a name="Releases"></a>Current Shorewall Releases</h3>
<p style="margin-left: 40px;">The <span style="font-weight: bold;">current <p style="margin-left: 40px;">The <span style="font-weight: bold;">current
Stable Release</span> version is 4.2.2<br> Stable Release</span> version is 4.2.3<br>
</p> </p>
<ul style="margin-left: 40px;"> <ul style="margin-left: 40px;">
<li>Here are the <a <li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.2/releasenotes.txt">release href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.3/releasenotes.txt">release
notes</a> <br> notes</a> <br>
</li> </li>
<li>Here are the <a <li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.2/known_problems.txt">known href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.3/known_problems.txt">known
problems</a>. problems</a>.
<p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br> <p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br>
</p> </p>
@ -161,11 +161,11 @@ problems</a>.</li>
</div> </div>
<div style="margin-left: 40px;"> <div style="margin-left: 40px;">
<p>The <span style="font-weight: bold;">current Development Release</span> <p>The <span style="font-weight: bold;">current Development Release</span>
version is 4.3.2 which includes support for IPv6<br> version is 4.3.3 which includes support for IPv6<br>
</p> </p>
<ul> <ul>
<li>Here are the<a <li>Here are the<a
href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.2/releasenotes.txt"> href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.3/releasenotes.txt">
release notes</a><br> release notes</a><br>
</li> </li>
</ul> </ul>