Bring trunk up to date with branch/4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7113 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-common/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-common/lib.base

@@ -1424,7 +1424,7 @@ undo_routing() {
 	# Restore rt_tables database
 	#
 	if [ -f ${VARDIR}/rt_tables ]; then
-	    cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    [ -w /etc/iproute2/rt_table ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
 	    rm -f ${VARDIR}/rt_tables
 	fi
 	#

Shorewall-common/shorewall-common.spec

@@ -1,5 +1,5 @@
 %define name shorewall-common
-%define version 4.0.1
+%define version 4.0.2
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -240,6 +240,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 
 %changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.1-1
 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net

Shorewall-common/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.0.1
+%define version 4.0.2
 %define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,6 +98,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.1-1
 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.00;
+our $VERSION = 4.01;
 
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
@@ -64,6 +64,11 @@ sub process_accounting_rule( $$$$$$$$$ ) {
 
     my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_;
 
+    sub check_for_builtin( $ ) {
+	my $chainref = shift;
+	fatal_error "A builtin Chain ($jumpchainref->{name}) may not appear in the accounting file" if $chainref->{builtin};
+    }
+
     sub accounting_error() {
 	warning_message "Invalid Accounting rule";
     }
@@ -71,6 +76,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
 	$jumpchainref = ensure_chain( 'filter', $jumpchain );
+	check_for_builtin( $jumpchainref );
 	mark_referenced $jumpchainref;
 	"-j $jumpchain";
     }
@@ -129,12 +135,14 @@ sub process_accounting_rule( $$$$$$$$$ ) {
 	    }
 	}
     } else {
-	$chain = 'accounting';
+	$chain = 'accounting' unless $chain and $chain ne '-';
 	$dest = ALLIPv4 if $dest   eq 'any' || $dest   eq 'all';
     }
 
     my $chainref = ensure_filter_chain $chain , 0;
 
+    check_for_builtin( $chainref );
+    
     expand_rule
 	$chainref ,
 	$restriction ,

Shorewall-perl/Shorewall/Chains.pm

@@ -128,7 +128,7 @@ our @EXPORT = qw( STANDARD
 		  %targets
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
 
 #
 # Chain Table

Shorewall-perl/Shorewall/Compiler.pm

@@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
 
 our $export;
 

Shorewall-perl/Shorewall/Config.pm

@@ -93,7 +93,7 @@ our @EXPORT = qw(
 		 %capabilities );
 
 our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -198,7 +198,7 @@ sub initialize() {
 		    ORIGINAL_POLICY_MATCH => '',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
-		    VERSION =>  '4.0.1',
+		    VERSION =>  '4.0.2',
 		    CAPVERSION => 30405 ,
 		  );
     #
@@ -288,6 +288,7 @@ sub initialize() {
 		EXPORTPARAMS => undef,
 		SHOREWALL_COMPILER => undef,
 		EXPAND_POLICIES => undef,
+		ACCOUNTING_EXPERT => undef,
 		#
 		# Packet Disposition
 		#
@@ -1417,6 +1418,7 @@ sub get_configuration( $ ) {
 
     default_yes_no 'EXPORTPARAMS'               , '';
     default_yes_no 'EXPAND_POLICIES'            , '';
+    default_yes_no 'ACCOUNTING_EXPERT'          , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
 
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

Shorewall-perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
 
 #
 # Create a new policy chain and return a reference to it.

Shorewall-perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces);
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
 
 use constant { LOCAL_NUMBER   => 255,
 	       MAIN_NUMBER    => 254,
@@ -412,7 +412,10 @@ sub setup_providers() {
 		   'restore_default_route' );
 	}
 
-	emit 'cat > /etc/iproute2/rt_tables <<EOF';
+	emit( 'if [ -w /etc/iproute2/rt_tables ]; then',
+	      '    cat > /etc/iproute2/rt_tables <<EOF' );
+
+	push_indent;
 
 	emit_unindented join( "\n",
 			      '#',
@@ -433,6 +436,10 @@ sub setup_providers() {
 	    emit "\$echocommand \"$providers{$table}{number}\\t$table\" >>  /etc/iproute2/rt_tables";
 	}
 
+	pop_indent;
+
+	emit "fi\n";
+
 	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {

Shorewall-perl/Shorewall/Rules.pm

@@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
 		  dump_rule_chains
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
 
 #
 # Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@@ -808,13 +808,27 @@ sub setup_mac_lists( $ ) {
 				  "    echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
 				  'done' );
 		} else {
-		    my $variable1 = get_interface_bcasts $interfaces{$interface}{bridge};
-
+		    my $bridge    = $interfaces{$interface}{bridge};
+		    my $bridgeref = $interfaces{$bridge};
+		    
 		    add_commands( $chainref,
-				  "for address in $variable; do",
-				  "    for address1 in $variable1; do",
-				  "        echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
-				  "    done",
+				  "for address in $variable; do" );
+
+		    if ( $bridgeref->{broadcasts} ) {
+			for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
+			    add_commands( $chainref ,
+					  "    echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" );
+			}
+		    } else {
+			my $variable1 = get_interface_bcasts $bridge;
+		    
+			add_commands( $chainref, 
+				      "    for address1 in $variable1; do" ,
+				      "        echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
+				      "    done" );
+		    }
+
+		    add_commands( $chainref, 
 				  "    echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
 				  'done' );
 		}
@@ -1583,14 +1597,22 @@ sub generate_matrix() {
 		if ( $capabilities{ADDRTYPE} ) {
 		    add_rule $filter_table->{output_chain $interface}  , "-m addrtype --dst-type BROADCAST -j $chain1";
 		} else {
-		    my $variable = get_interface_bcasts $interface;
-		    my $chain    = output_chain $interface;
-		    my $chainref = $filter_table->{$chain};
+		    my $interfaceref = $interfaces{$interface};
+		    my $chain        = output_chain $interface;
+		    my $chainref     = $filter_table->{$chain};
 
-		    add_commands( $chainref,
-				  "for address in $variable; do",
-				  "   echo \"-A $chain -d \$address -j $chain1\" >&3",
-				  'done' );
+		    if ( $interfaceref->{broadcasts} ) {
+			for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) {
+			    add_rule( $chainref, "-d $address -j $chain1" );
+			}
+		    } else {
+			my $variable = get_interface_bcasts $interface;
+
+			add_commands( $chainref,
+				      "for address in $variable; do",
+				      "   echo \"-A $chain -d \$address -j $chain1\" >&3",
+				      'done' );
+		    }
 		}
 
 		add_rule $filter_table->{output_chain $interface}  , "-d 224.0.0.0/4 -j $chain1";

Shorewall-perl/Shorewall/Tc.pm

@@ -39,7 +39,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,

Shorewall-perl/Shorewall/Zones.pm

@@ -59,7 +59,7 @@ our @EXPORT = qw( NOTHING
 		  @bridges );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.00;
+our $VERSION = 4.01;
 
 #
 # IPSEC Option types
@@ -121,6 +121,7 @@ our %reservedName = ( all => 1,
 #                                                    }
 #                                     zone        => <zone name>
 #                                     bridge      => <bridge>
+#                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                   }
 #                 }
 #
@@ -627,12 +628,17 @@ sub validate_interfaces_file( $ )
 	}
 
 	unless ( $networks eq '' || $networks eq 'detect' ) {
+	    my @broadcasts = split /,/, $networks;
 
-	    for my $address ( split /,/, $networks ) {
+	    for my $address ( @broadcasts ) {
 		fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
 	    }
 
-	    warning_message 'Shorewall no longer uses broadcast addresses in rule generation';
+	    if ( $capabilities{ADDRTYPE} ) {
+		warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
+	    } else {
+		$interfaces{$interface}{broadcasts} = \@broadcasts;
+	    }
 	}
 
 	my $optionsref = {};

Shorewall-perl/compiler.pl

@@ -34,7 +34,8 @@
 #         --debug                     # Print stack trace on warnings and fatal error.
 #
 use strict;
-use lib '/usr/share/shorewall-perl';
+use FindBin;
+use lib "$FindBin::Bin";
 use Shorewall::Compiler;
 use Getopt::Long;
 

Shorewall-perl/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-perl/prog.header

@@ -819,7 +819,7 @@ undo_routing() {
 	# Restore rt_tables database
 	#
 	if [ -f ${VARDIR}/rt_tables ]; then
-	    cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    [ -w /etc/iproute2/rt_table ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
 	    rm -f ${VARDIR}/rt_tables
 	fi
 	#

Shorewall-perl/shorewall-perl.spec

@@ -1,5 +1,5 @@
 %define name shorewall-perl
-%define version 4.0.1
+%define version 4.0.2
 %define release 1
 
 Summary: Shoreline Firewall Perl-based compiler.
@@ -72,6 +72,8 @@ fi
 %doc COPYING releasenotes.txt
 
 %changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.1-1
 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net

Shorewall-shell/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.1
+VERSION=4.0.2
 
 usage() # $1 = exit status
 {

Shorewall-shell/lib.providers

@@ -372,8 +372,10 @@ __EOF__
 	    save_command restore_default_route
 	fi
 
+	save_command "if [ -w /etc/iproute2/rt_tables ]; then"
+	
 	cat >&3 << __EOF__
-${INDENT}cat > /etc/iproute2/rt_tables <<EOF
+${INDENT}    cat > /etc/iproute2/rt_tables <<EOF
 #
 # reserved values
 #
@@ -386,15 +388,18 @@ ${INDENT}cat > /etc/iproute2/rt_tables <<EOF
 #
 EOF
 
-${INDENT}echocommand=\$(find_echo)
+${INDENT}    echocommand=\$(find_echo)
 __EOF__
         for table in $PROVIDERS; do
 	    eval number=\$${table}_number
 	    indent >&3 << __EOF__
-\$echocommand "$number\t$table" >>  /etc/iproute2/rt_tables
+    \$echocommand "$number\t$table" >>  /etc/iproute2/rt_tables
 __EOF__
 	done
 
+	save_command "fi"
+	save_command
+
 	if [ -s $TMP_DIR/route_rules ]; then
 	    progress_message2 "$DOING $(find_file route_rules)..."
 

Shorewall-shell/shorewall-shell.spec

@@ -1,5 +1,5 @@
 %define name shorewall-shell
-%define version 4.0.1
+%define version 4.0.2
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -81,6 +81,8 @@ fi
 %doc COPYING INSTALL 
 
 %changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.1-1
 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net

web/News.htm

@@ -24,9 +24,99 @@ href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>”.<br>
 </p>
 
-<p>July 30, 2007</p>
+<p>August 10, 2007</p>
 <hr style="width: 100%; height: 2px;">
 
+<p><strong>2007-08-10 Shorewall 4.0.2</strong></p>
+<pre>Problems corrected in 4.0.2
+
+1)  The Shorewall-perl compiler was still generating invalid
+    iptables-restore input from entries in /etc/shorewall/ecn.
+
+2)  When using Shorewall-perl, unless an interface was specified as
+    'optional' in the interfaces file, the 'restore' command would
+    fail if the routes through the interface or the addresses on the
+    interface could not be detected.
+
+    Route detection occurs when the interface is named in the SOURCE
+    column of the masq file. Address detection occurs when
+    DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
+    or REDIRECT rule or when 'maclist' is specified for the interface.
+   
+    Since the 'restore' command doesn't use the detected information,
+    detection is now skipped if the command is 'restore'.
+
+3)  It was not previously possible to define traffic shaping on a
+    bridge port; the generated script complained that the
+    interface was not up and configured.
+
+4)  When Shorewall-shell was not installed, certain options in
+    /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
+    'add' and 'delete' commands to fail with a missing library error.
+
+          OPTION               FILE
+          maclist              interfaces,hosts
+          proxyarp             interfaces
+
+5)  The /var/lib/shorewall/zones file was being overwritten during
+    processing of the 'refresh' command by a script generated with
+    Shorewall-perl. The result was that hosts previously added to
+    dynamic zones could not be deleted after the 'refresh'.
+
+6)  If the file named as the output file in a Shorewall-perl 'compile'
+    command was a symbolic link, the generated error message
+    erroneously stated that the file's parent directory was a symbolic
+    link.
+
+    As part of this change, cosmetic changes were made to a number of
+    other error messages.
+
+7)  Some intra-zone rules were missing when a zone involved multiple
+    interfaces or when a zone included both IPSEC and non-IPSEC
+    networks.
+
+8)  Shorewall was not previously loading the xt_multiport kernel
+    module.
+
+9)  The Russian and French translations no longer have English headings
+    on notes, cautions, etc..
+
+10) Previously, using a port list in the DEST PORT(S) column of the
+    rules file or in an action file could cause an invalid iptables
+    command to be generated by Shorewall-shell.
+
+11) If there were no bridges in a configuration, Shorewall-perl would
+    ignore the CHAIN column in /etc/shorewall/accounting.
+
+Other changes in 4.0.2
+
+1)  Shorewall-perl now detects when a port range is included in a list
+    of ports and iptables/kernel support for Extended Multi-port Match
+    is not available. This avoids an iptables-restore failure at
+    run-time.
+
+2)  Most chains created by Shorewall-shell have names that can be
+    embedded within shell variable names. This is a workaround for
+    limitations in the shell programming language which has no
+    equivalent to Perl hashes. Often chain names must have the name of
+    a network interface encoded in them. Given that interface names can
+    contain characters that are invalid in a shell variable name,
+    Shorewall-shell performs a name mapping which was carried forward to
+    Shorewall-perl:
+
+    - Trailing '+' is dropped.
+    - The characters ".", "-", "%' and "@" are translated to "_".
+
+    This mapping has been elminated in the 4.0.2 release of Shorewall-
+    perl. So where before you would see chain "eth0_0_in", you may now
+    see the same chain named "eth0.0_in". Similarly, a chain previously
+    named "ppp_fwd" may now be called "ppp+_fwd".
+
+3)  Shorewall-perl now uses the contents of the BROADCAST column in
+    /etc/shorewall/interfaces when the Address Type match capability is
+    not available.</pre>
+<hr>
+
 <p><strong>2007-07-30 Shorewall 4.0.1</strong></p>
 <pre>Problems corrected in 4.0.1.
 

web/shorewall_index.htm

@@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
 license is included in the section entitled “<a href="GnuCopyright.htm"
 target="_self">GNU Free Documentation License</a>”.</p>
 
-<p>2007-07-30</p>
+<p>2007-08-10</p>
 <hr style="width: 100%; height: 2px;">
 
 <h2>Table of Contents</h2>
@@ -103,17 +103,17 @@ Features page</a>.<br>
 <h3><a name="Releases"></a>Current Shorewall Releases</h3>
 
 <p style="margin-left: 40px;">The <span style="font-weight: bold;">current
-Stable Release</span> version is  4.0.1<br>
+Stable Release</span> version is  4.0.2<br>
 </p>
 <ul style="margin-left: 40px;">
   <li>Here are the <a
-    href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.1/releasenotes.txt">release
+    href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/releasenotes.txt">release
     notes</a> <br>
   </li>
   <li>Here are the <a
-    href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.1/known_problems.txt">known
+    href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/known_problems.txt">known
     problems</a> and <a
-    href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.1/errata/">updates</a>. 
+    href="http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/">updates</a>. 
     <p>Read more about the <a href="Shorewall-4.html">Release here</a>.<br>
     </p>
   </li>