diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 82307b8fe..3a65023cb 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes in 3.4.1 4) CONTINUE policies generated invalid iptables input. +6) Fix CRITICALHOSTS bug in 'stop_firewall()' + Changes in 3.4.0 Final 1) Add missing logic for "!" rules. diff --git a/Shorewall/compiler b/Shorewall/compiler index a503d7372..3262f6bbc 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4653,12 +4653,16 @@ __EOF__ deleteallchains - for host in $CRITICALHOSTS; do - interface=\${host%:*} - networks=\${host#*:} - \$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT - \$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT - done +__EOF__ + + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done + + cat >&3 << __EOF__ for chain in INPUT OUTPUT; do setpolicy \$chain DROP @@ -4676,12 +4680,15 @@ __EOF__ deleteallchains - for host in $CRITICALHOSTS; do - interface=\${host%:*} - networks=\${host#*:} - \$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT - \$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT - done +__EOF__ + for host in $CRITICALHOSTS; do + interface=${host%:*} + networks=${host#*:} + do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT + do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT + done + + cat >&3 << __EOF__ setpolicy INPUT DROP diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a12c9d5ef..7822c0281 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -47,7 +47,8 @@ Problems Corrected in 3.4.1 log prefix. This could cause mysterious "log-prefix truncated" messages. -4) When nested zones were defined in the /etc/shorewall/zones file, +4) When nested zones were defined in the /etc/shorewall/zones file and + IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf, shell error messages ( usually ': not found' ) during compilation resulted. @@ -64,6 +65,22 @@ Problems Corrected in 3.4.1 ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" Failed +6) If there were hosts defined as 'critical' in + /etc/shorewall/routestopped then problems occured in two cases: + + i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall + clear' was issued. + + ii) On Shorewall or Shorewall lite system when 'start' or 'restart' + failed during execution of the compiled script and there was no saved + configuration ('shorewall[-lite] save' has not been issued). + + The symptoms were that the following shell messages were issued and + the 'critical' hosts were not enabled: + + /var/lib/shorewall/.start: line nnn: source_ip_range: command not found + /var/lib/shorewall/.start: line nnm: dest_ip_range: command not found + Other changes in 3.4.1 1) Several changes are included which allow testing of experimental