From a7f089a9390d17c04f1583c44baea3d63240c6cd Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 20 Nov 2007 16:01:27 +0000 Subject: [PATCH] Fix a couple of bugs git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7701 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 437 +---------------------------- Shorewall-common/releasenotes.txt | 13 +- Shorewall-perl/Shorewall/Config.pm | 4 +- Shorewall-perl/Shorewall/Policy.pm | 2 +- 4 files changed, 20 insertions(+), 436 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 4f448345b..e0dc861f8 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,9 @@ +Changes in 4.1.1 + +1) Fix ULOG/NFLOG output. + +2) Fix NFQUEUE() in Policy file. + Changes in 4.1.0. 1) Add 'shared' provider option. @@ -23,434 +29,3 @@ Changes in 4.1.0. 11) Add DONT_LOAD option 12) Add support for --random. - -Changes in 4.0.5 - -1) Delete 'detectnets' from Shorewall-perl - -2) Use get_config() for processing secondary shorewall.conf - -3) Add 'broadcast' and 'destonly' options to hosts file. - -4) Allow "$FW::" in the DEST column of a redirect rule" - -5) Add MULTICAST option in shorewall.conf. - -6) Allow port range for server port in NAT rules. - -7) Validate server IP address and port(-range) in NAT rules. - -8) Allow server port(s) to be specified as service names. - -9) Split large DEST PORT(S) lists. - -10) Fix TCP/UDP in rules file. - -10) Add new semantics to 'debug' with Shorewall-perl - -11) Satisfy the distros. - -12) Change module versions to V-strings. - -13) Fix ipsets. - -Changes in 4.0.4 - -1) Fix 'refresh' with light-weight shells. - -2) Various fixes for proxyarp. - -3) Fix 'refresh' run-time error. - -4) Cleaner behavior if module-init-tools not installed. - -5) Fix [re-]initialization problems in Shorewall::Tc. - -6) Make compile-time check for iptables-restore. - -7) Fix dup chain name test for actions. - -8) Improve KLUDGEFREE detection. - -9) Remove unused functions from Chains module. - -10) Allow 'TC_ENABLED=internal' as specified (Only 'Internal' is - currently allowed). - -11) Correct 'loose' handling. - -12) Correct handling of 'bridge' and accounting. - -13) Fix SHOREWALL_DIR fiasco. - -14) Avoid deleting wrong routing rule. - -15) Allow provider number in route_rules with Shorewall-shell. - -16) Add DELETE_THEN_ADD option. - -17) Add warning about 'detectnets' going away. - -18) Fix off-by-one bug in Tc.pm - -19) Correct problems found in pre-testing. - -20) Fix REDIRECT with Macros. - -Changes in 4.0.3 - -1) Streamline the checking for builtin chains in the accounting file. - -2) Don't try to write/restore /etc/iproute2/rt_tables if it isn't - writable. - -3) Allow Shorewall-perl compiler and libraries to be installed - anywhere. - -4) Add KEEP_RT_TABLES option. - -5) Other provider changes. - -6) Fix LOG target in Shorewall-shell. - -7) Faster log processing. - -8) Tweak handling of CLASSID in process_tc_rule(). - -9) Restore 3.4 'stop/clear/reset' behavior and make new behavior - optional. - -10) Add act_police to modules file. - -11) Add 'mss' interface option. - -12) Add TCPMSS_MATCH to show capabilities -f. - -13) Insure a space between log prefix and IN=. - -14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy - -15) Add hashlimit match detection. - -16) Fix 'add' and 'delete' when interface name contains special char. - -17) Fix PREROUTING track fiasco. - -18) Add NFQUEUE support. - -19) Allow refresh of chains other than 'blacklst'. - -20) Allow INCLUDE in run-time extension scripts. - -21) Fix zone sort. - -Changes in 4.0.2 - -1) Another ECN fix in Shorewall-perl. - -2) Make 'state match' detection in Shorewall-perl quiet. - -3) Detect port range in list without XMULTIPORT. - -4) Move lockfile handling from 'firewall' to 'shorewall' and lib.cli. - -5) Don't detect routed networks and interfaces addresses during - 'restore'. - -6) Upcase some global variables in the generated script. - -7) Remove some 'chain_base' mapping. - -8) Eliminate a couple of global variables in the Chains module. - -9) Cosmetic change to generated script. - -10) Allow tc configuration on bridge ports. - -11) Fix add/delete problem when Shorewall-shell is not installed. - -12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during - 'refresh'. - -13) Correct some error messages. - -14) Correct calculations involving number of keys in a hash. - -15) Load xt_multiport. - -16) Apply Günter Niedermeier's patch for multiport. - -17) Honor the BROADCAST column when address type match is not - available. - -18) Fix accounting. - -Changes in 4.0.1 - -1) Add EXPAND_POLICIES. - -2) Fix uninstallers. - -3) Correct handling of 'ipsec' option in the hosts file. - -4) Corrent handling of 'PATH' in Shorewall-perl. - -5) Correct handling of ECN with MANGLE_FORWARD. - -6) Relax ADDRTYPE restriction. - -7) Be sure that chkconfig runs after upgrade from < 4.0.0 - -8) Better out-of-order policy detection. - -9) Fix dropBcast/allowBcast logging and other logging - fixes/improvements. - -10) Cleaner way to handle quotes in rules. - -11) Allow '/min' in RATE/BURST column. - -12) Check for state match - -13) Fix stale lock problems. - -Changes in 4.0.0 Final - -1) Fix lite install.sh manpage problem. - -2) Fix shorewall-shell .spec to modify SHOREWALL_COMPILER. - -3) Shuffle code in Providers.pm. - -4) Consolicate Common.pm + Config.pm and Interfaces.pm + Hosts.pm + - Zones.pm. - -5) Validate log level in policy file. - -Changes in 4.0.0 RC 2 - -1) Fix zone type check in Tunnels File. - -2) Remove -f as default start OPTIONS. - -3) Remove 3.4 compatibility hacks. - -4) Fix install.sh manpage problem. - -5) Fix LITEDIR mess. - -6) Fix IPSEC. - -7) Add Tunneling Macros from Tuomo Soini. - -Changes in 4.0.0 RC 1 - -1) shorewall-perl RPM no longer installable under shorewall 3.4. - -2) Fix limited broadcast and detectnets/routeback interfaces. - -3) Use optimized 'split' for faster compilation. - -4) Validate host part in hosts file entry. - -5) Fix IPSECFILE=ipsec. - -6) Make ':noah' the default. - -7) Work around SELinux nonsense. - -8) Restore the 'refresh' command. - -9) Allow ipsec zone in GATEWAY ZONE column of the tunnels file. - -10) Raise error on chmod failure. - -11) Handle shell variables with zero value correctly. - -Changes in 4.0.0 Beta 6 - -1) First step to adding compiler debugging facility. - -2) Assume that iptables-restore is in the same directory as $IPTABLES - -3) Fix buildports.pm to handle bogus entries in /etc/protocols and - /etc/services. - -4) Allow COMMENT in the accounting file. - -Changes in 4.0.0 Beta 6 - -1) Validate the DISPOSITION in /etc/shorewall/maclist entries. - -2) Add versioning to capabilities files. - -3) Improve compiler selection. - -4) DYNAMIC_ZONES=Yes and bridges. - -5) Implement port validation. - -Changes in 4.0.0 Beta 5 - -1) Fix undefined function call when both an input interface and an - output interface are present. - -2) Externalize compiler and Compile.pm. - -Changes in 4.0.0 Beta 4 - -1) Fix the 'Modules' output of 'dump' - -2) Fix FW=xxx with IPSECFILE=ipsec. - -3) Fix wildcard-rule/NONE-policy interaction. - -4) Clean up generation of user-exit jacket functions. - -5) Add new bridge code. - -6) Fix bad bug in exclusion. - -Changes in 4.0.0 Beta 2 - -1) Fix screwup in get_routed_networks(). - -2) Some minor tweaks. - -3) Fix synflood chain jumps. - -4) Simplify synflood handling and improve error diagnostics. - -Changes in 4.0.0 Beta 1 - -1) Fix add/delete . - -2) Fix do_proto() and 'use IPConfig' in Providers.pm. - -3) Implement dynamic host group detection. - -Changes in 3.9.7 - -1) Clean up release notes. - -2) Fix several bugs having to do with exclusion in the hosts file. - -3) Use '-m addrtype' in detectnet interface output rules. - -4) Fix find_hosts_by_option(). - -5) Fix more hosts file bugs. - -6) Fix 'detect' in GATEWAY column of providers file. - -8) Other bug fixes (see release notes). - -7) Fix action in 'logreject'. - -8) Allow macros to invoke macros outside of action bodies. - - -Changes in 3.9.6 - -1) Fix parsing problems in protocol handling. - -2) Fix bugs in handling of the MARK column. - -3) Fix bug in routing table copying - -4) Fix bug in ipset handling. - -5) Fix bug in handling of CONTINUE in the tcrules file. - -6) Add RCP_COMMAND and RSH_COMMAND options in shorewall.conf - -7) Apply Luigi's MARK patch. - -Changes in 3.9.5 - -1) Fix dynamic zone problem. - -2) Fix LOGALLNEW. - -3) Implement log level, protocol and port validation. - -4) Fix MACLIST log rule generation problem. - -Changes in 3.9.4 - -1) Fix port 0 problem (again!). - -2) Fix log_martians. - -3) Make LOG_MARTIANS and ROUTE_FILTER tri-valued. - -4) Fix arp_ignore. - -5) Re-work ROUTE_FILTER and LOG_MARTIANS. - -6) Fix handling of interface options. - -7) Fix handling of zone ipsec options. - -8) Fix 'routeback' on multi-zone interface. - -9) Fix 'check -d'. - -10) Fix intra-zone policies. - -11) Fix typo in maclist validation. - -12) Allow 'optional' to work with 'maclist'. - -Changes in 3.9.3 - -1) Apply Steven Springl's patch for port checking. - -2) Implement 'optional' interface option. - -3) Fix a couple of bugs in 'owner' handling. - -4) Fix several bugs in address/network detection. - -5) Make a number of interface options binary. - -6) Add wildcard edits in interface processing. - -7) Fix dropInvalid. - -8) Fix 'none'. - -9) Fix SAME with SOURCE $FW - -10) Fix tcp:syn. - -11) Fix all->z rules with 'NONE' policy. - -12) Check for reserved zone names. - -13) Add check for firewall zone existance. - -14) Add checks for zone existance in 'all' processing. - -Changes in 3.9.2 - -1) Implement '-C {shell|perl}'. - -2) Implement LOCKFILE - -3) Fix typo in prog.footer. - -4) Fix Shorewall-perl hosts and tcclasses errors. - -5) Add IPPserver macro. - -6) Fix problem with 'stop' and 'clear' when shorewall-shell not - installed. - -7) Moved lib.dynamiczones to Shorewall. - -8) Fix silly bug in lib.base. - -9) Apply Steven Springl's patch for ICMP. - ->>>>>>> .r7695 diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index b23e925e2..603c19d57 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -8,11 +8,20 @@ Shorewall 4.1 Patch Release 0. 2) Support for NFLOG has been added. -Problems corrected in Shorewall 4.1.0. +Problems corrected in Shorewall 4.1.1. + +1) Previously, incorrect output was generated by parameter lists to + ULOG or NFLOG. + +2) Specifying NFQUEUE() in the LEVEL column of the + policy file resulted in an error. + + +Other changes in Shorewall 4.1.1. None. -Other changes in Shorewall 4.1.0. +New Features in Shorewall 4.1. 1) Shorewall 4.1.0 contains experimental support for multiple Internet providers through a single ethernet interface. Configuring two diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 76006f12f..11ff2e2f1 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -1162,7 +1162,7 @@ my %validlevels = ( debug => 7, ULOG => 'ULOG', NFLOG => 'NFLOG'); -my @suffixes = qw(group range threshhold); +my @suffixes = qw(group range threshold nlgroup cprange qthreshold); # # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate" @@ -1184,7 +1184,7 @@ sub validate_level( $ ) { my $olevel = $1; my @options = split /,/, $2; my $prefix = lc $olevel; - my $index = 0; + my $index = $prefix eq 'ulog' ? 3 : 0; level_error( $level ) if @options > 3; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 92a1ccda9..2b73e9e61 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -228,7 +228,7 @@ sub validate_policy() fatal_error "Invalid default action ($default:$remainder)" if defined $remainder; - ( $policy , my $queue ) = split( '/' , $policy ); + ( $policy , my $queue ) = get_target_param $policy; if ( $default ) { if ( "\L$default" eq 'none' ) {