mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 18:21:27 +02:00
Fix CRITICALHOSTS bug
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5547 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
be2bfbeae0
commit
b3ae34d7be
@ -8,6 +8,8 @@ Changes in 3.4.1
|
|||||||
|
|
||||||
4) CONTINUE policies generated invalid iptables input.
|
4) CONTINUE policies generated invalid iptables input.
|
||||||
|
|
||||||
|
6) Fix CRITICALHOSTS bug in 'stop_firewall()'
|
||||||
|
|
||||||
Changes in 3.4.0 Final
|
Changes in 3.4.0 Final
|
||||||
|
|
||||||
1) Add missing logic for "!" rules.
|
1) Add missing logic for "!" rules.
|
||||||
|
@ -4653,12 +4653,16 @@ __EOF__
|
|||||||
|
|
||||||
deleteallchains
|
deleteallchains
|
||||||
|
|
||||||
for host in $CRITICALHOSTS; do
|
__EOF__
|
||||||
interface=\${host%:*}
|
|
||||||
networks=\${host#*:}
|
for host in $CRITICALHOSTS; do
|
||||||
\$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
interface=${host%:*}
|
||||||
\$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
networks=${host#*:}
|
||||||
done
|
do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||||
|
do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
|
cat >&3 << __EOF__
|
||||||
|
|
||||||
for chain in INPUT OUTPUT; do
|
for chain in INPUT OUTPUT; do
|
||||||
setpolicy \$chain DROP
|
setpolicy \$chain DROP
|
||||||
@ -4676,12 +4680,15 @@ __EOF__
|
|||||||
|
|
||||||
deleteallchains
|
deleteallchains
|
||||||
|
|
||||||
for host in $CRITICALHOSTS; do
|
__EOF__
|
||||||
interface=\${host%:*}
|
for host in $CRITICALHOSTS; do
|
||||||
networks=\${host#*:}
|
interface=${host%:*}
|
||||||
\$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT
|
networks=${host#*:}
|
||||||
\$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT
|
do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||||
done
|
do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
|
cat >&3 << __EOF__
|
||||||
|
|
||||||
setpolicy INPUT DROP
|
setpolicy INPUT DROP
|
||||||
|
|
||||||
|
@ -47,7 +47,8 @@ Problems Corrected in 3.4.1
|
|||||||
log prefix. This could cause mysterious "log-prefix truncated"
|
log prefix. This could cause mysterious "log-prefix truncated"
|
||||||
messages.
|
messages.
|
||||||
|
|
||||||
4) When nested zones were defined in the /etc/shorewall/zones file,
|
4) When nested zones were defined in the /etc/shorewall/zones file and
|
||||||
|
IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf,
|
||||||
shell error messages ( usually '<zone>: not found' ) during
|
shell error messages ( usually '<zone>: not found' ) during
|
||||||
compilation resulted.
|
compilation resulted.
|
||||||
|
|
||||||
@ -64,6 +65,22 @@ Problems Corrected in 3.4.1
|
|||||||
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
|
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
|
||||||
Failed
|
Failed
|
||||||
|
|
||||||
|
6) If there were hosts defined as 'critical' in
|
||||||
|
/etc/shorewall/routestopped then problems occured in two cases:
|
||||||
|
|
||||||
|
i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall
|
||||||
|
clear' was issued.
|
||||||
|
|
||||||
|
ii) On Shorewall or Shorewall lite system when 'start' or 'restart'
|
||||||
|
failed during execution of the compiled script and there was no saved
|
||||||
|
configuration ('shorewall[-lite] save' has not been issued).
|
||||||
|
|
||||||
|
The symptoms were that the following shell messages were issued and
|
||||||
|
the 'critical' hosts were not enabled:
|
||||||
|
|
||||||
|
/var/lib/shorewall/.start: line nnn: source_ip_range: command not found
|
||||||
|
/var/lib/shorewall/.start: line nnm: dest_ip_range: command not found
|
||||||
|
|
||||||
Other changes in 3.4.1
|
Other changes in 3.4.1
|
||||||
|
|
||||||
1) Several changes are included which allow testing of experimental
|
1) Several changes are included which allow testing of experimental
|
||||||
|
Loading…
x
Reference in New Issue
Block a user