extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-22 02:31:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix CRITICALHOSTS bug

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5547 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-15 16:03:31 +00:00
parent be2bfbeae0
commit b3ae34d7be
3 changed files with 39 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in 3.4.1
4) CONTINUE policies generated invalid iptables input. 4) CONTINUE policies generated invalid iptables input.
6) Fix CRITICALHOSTS bug in 'stop_firewall()'
Changes in 3.4.0 Final Changes in 3.4.0 Final
1) Add missing logic for "!" rules. 1) Add missing logic for "!" rules.

31
Shorewall/compiler
View File

@ -4653,12 +4653,16 @@ __EOF__
deleteallchains deleteallchains
for host in $CRITICALHOSTS; do __EOF__
interface=\${host%:*}
networks=\${host#*:} for host in $CRITICALHOSTS; do
\$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT interface=${host%:*}
\$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT networks=${host#*:}
done do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
done
cat >&3 << __EOF__
for chain in INPUT OUTPUT; do for chain in INPUT OUTPUT; do
setpolicy \$chain DROP setpolicy \$chain DROP
@ -4676,12 +4680,15 @@ __EOF__
deleteallchains deleteallchains
for host in $CRITICALHOSTS; do __EOF__
interface=\${host%:*} for host in $CRITICALHOSTS; do
networks=\${host#*:} interface=${host%:*}
\$IPTABLES -A INPUT -i \$interface \$(source_ip_range \$networks) -j ACCEPT networks=${host#*:}
\$IPTABLES -A OUTPUT -o \$interface \$(dest_ip_range \$networks) -j ACCEPT do_iptables -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT
done do_iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
done
cat >&3 << __EOF__
setpolicy INPUT DROP setpolicy INPUT DROP

19
Shorewall/releasenotes.txt
View File

@ -47,7 +47,8 @@ Problems Corrected in 3.4.1
log prefix. This could cause mysterious "log-prefix truncated" log prefix. This could cause mysterious "log-prefix truncated"
messages. messages.
4) When nested zones were defined in the /etc/shorewall/zones file, 4) When nested zones were defined in the /etc/shorewall/zones file and
IMPLICIT_CONTINUE=Yes was given in /etc/shorewall/shorewall.conf,
shell error messages ( usually '<zone>: not found' ) during shell error messages ( usually '<zone>: not found' ) during
compilation resulted. compilation resulted.
@ -64,6 +65,22 @@ Problems Corrected in 3.4.1
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
Failed Failed
6) If there were hosts defined as 'critical' in
/etc/shorewall/routestopped then problems occured in two cases:
i) On a Shorewall Lite system when 'shorewall stop' or 'shorewall
clear' was issued.
ii) On Shorewall or Shorewall lite system when 'start' or 'restart'
failed during execution of the compiled script and there was no saved
configuration ('shorewall[-lite] save' has not been issued).
The symptoms were that the following shell messages were issued and
the 'critical' hosts were not enabled:
/var/lib/shorewall/.start: line nnn: source_ip_range: command not found
/var/lib/shorewall/.start: line nnm: dest_ip_range: command not found
Other changes in 3.4.1 Other changes in 3.4.1
1) Several changes are included which allow testing of experimental 1) Several changes are included which allow testing of experimental