From c631846880126a1d01819762a51e281018023a0c Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 26 May 2007 11:02:58 +0000 Subject: [PATCH] Some 'on the train' changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6438 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 4 ++++ Shorewall-common/fallback.sh | 2 +- Shorewall-common/install.sh | 2 +- Shorewall-common/releasenotes.txt | 4 ++++ Shorewall-common/shorewall.spec | 2 +- Shorewall-common/uninstall.sh | 2 +- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 2 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall-shell/install.sh | 2 +- Shorewall-shell/shorewall-shell.spec | 2 +- manpages/shorewall-hosts.xml | 16 +--------------- manpages/shorewall-interfaces.xml | 7 ++++--- manpages/shorewall-maclist.xml | 7 ++----- manpages/shorewall-masq.xml | 17 ++++++++++++----- manpages/shorewall.conf.xml | 16 +++++++++------- 17 files changed, 46 insertions(+), 45 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 66ef73b4d..325dc0d80 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -4,6 +4,10 @@ Changes in 4.0.0 Beta 2 2) Some minor tweaks. +3) Fix synflood chain jumps. + +4) Simplify synflood handling and improve error diagnostics. + Changes in 4.0.0 Beta 1 1) Fix add/delete . diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index 05353ae14..330a8458f 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.0-Beta1 +VERSION=4.0.0-Beta2 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 76ac7eac8..8abcd5253 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.0-Beta1 +VERSION=4.0.0-Beta2 usage() # $1 = exit status { diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 63a1491fb..21e65541e 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -20,6 +20,10 @@ Problems corrected in 4.0.0 Beta 1. 1) If an interfaces named in the SOURCE column of /etc/shorewall/masq had a default route, an iptables-restore failure previously resulted. +2) Specifying a BURST/LIMIT in the policy file no longer causes + iptables-restore to fail. Additionally, the BURST/LIMIT column is + more carefully checked than previously. + Other changes in Shorewall 4.0.0 Beta 2. 1) The 'initdone' extension script has been restored as a compile-time diff --git a/Shorewall-common/shorewall.spec b/Shorewall-common/shorewall.spec index a032f48f3..8d5de6b98 100644 --- a/Shorewall-common/shorewall.spec +++ b/Shorewall-common/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 4.0.0 -%define release 0Beta1 +%define release 0Beta2 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index 5e97ed004..3c14157c4 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.0-Beta1 +VERSION=4.0.0-Beta2 usage() # $1 = exit status { diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index ca079e059..77639cda0 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.0-Beta1 +VERSION=4.0.0-Beta2 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 96f8c2dd5..c138140e0 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.0-Beta1 +VERSION=4.0.0-Beta2 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index b5a9dc141..eb2668b18 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 4.0.0 -%define release 0Beta1 +%define release 0Beta2 %define prefix /usr Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index f48a0b744..16576d6c8 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.0-Beta1 +VERSION=4.0.0-Beta2 usage() # $1 = exit status { diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index 38612faa1..6bc26b0d4 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.0-Beta1 +VERSION=4.0.0-Beta2 usage() # $1 = exit status { diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index eee02c5d3..259352d3d 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,6 +1,6 @@ %define name shorewall-shell %define version 4.0.0 -%define release 0Beta1 +%define release 0Beta2 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml index 231b2da35..ade720a0a 100644 --- a/manpages/shorewall-hosts.xml +++ b/manpages/shorewall-hosts.xml @@ -58,7 +58,7 @@ HOST(S) — - interface:{[bridge-port:]{address-or-range[interface:{[{address-or-range[,address-or-range]...|+ipset}[exclusion] @@ -84,20 +84,6 @@ Your kernel and iptables must have iprange match support. - - A physical bridge-port name; only - allowed when the interface names a bridge created by the - brctl(8) addbr command. This port must not be - defined in shorewall-interfaces(5) - and may be optionally followed by a colon (":") and a host or - network IP or a range. See http://www.shorewall.net/bridge.html - for details. Specifying a physical port name requires that you - have BRIDGING=Yes in shorewall.conf(5). - - The name of an ipset. diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index dc70f8cab..e61cc26f4 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -94,9 +94,10 @@ loc eth2 - role="bold">- in this column. Note to Shorewall-perl users: - Shorewall-perl only supports in this column. - If you specify addresses, a compilation - warning will be issued. + Shorewall-perl only supports or - in this column. If you specify + addresses, a compilation warning will be + issued. diff --git a/manpages/shorewall-maclist.xml b/manpages/shorewall-maclist.xml index cf65fce51..60e62e84b 100644 --- a/manpages/shorewall-maclist.xml +++ b/manpages/shorewall-maclist.xml @@ -50,13 +50,10 @@ INTERFACE — - interface[:port] + interface - Network interface to a host. If the - interface names a bridge, it may be optionally followed by a colon - (":") and a physical port name (e.g., br0:eth4). + Network interface to a host. diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index dccd0a49e..dedfb0a97 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -45,7 +45,7 @@ role="bold">+]interface[:[digit]][:[address[,address]...][exclusion] + role="bold">,address]...[exclusion]] Outgoing interface. This is usually your @@ -89,8 +89,8 @@ SOURCE (Formerly called SUBNET) — - {interface|address[,address]}[exclusion] + {interface[[:]exclusion]|address[,address][exclusion]} Set of hosts that you wish to masquerade. You can specify this @@ -104,9 +104,16 @@ append an exclusion ("!" and a comma-separated list of IP addresses (host or net) that you wish to exclude (see shorewall-exclusion(5))). + url="shorewall-exclusion.html">shorewall-exclusion(5))). + Note that with Shorewall-perl, a colon (":") must appear between an + interface name and the + exclusion; - Example: eth1!192.168.1.4,192.168.32.0/27 + Example (shorewall-shell): + eth1!192.168.1.4,192.168.32.0/27 + + Example (shorewall-perl): + eth1:!192.168.1.4,192.168.32.0/27 In that example traffic from eth1 would be masqueraded unless it came from 192.168.1.4 or 196.168.32.0/27 diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index faffb7cd3..88c020183 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -282,8 +282,10 @@ When set to Yes or yes, enables Shorewall Bridging - support. + role="bold">yes, enables Shorewall Bridging support. + BRIDGING=Yes may not work properly with Linux kernel + 2.6.20 or later and is not supported by Shorewall-perl. + @@ -443,11 +445,11 @@ role="bold">Yes|No} - Normally, Shorewall accepting ESTABLISHED/RELATED packets - until these packets reach the chain in which the original connection - was accepted. So for packets going from the 'loc' zone to the 'net' - zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net' - chain. + Normally, Shorewall defers accepting ESTABLISHED/RELATED + packets until these packets reach the chain in which the original + connection was accepted. So for packets going from the 'loc' zone to + the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the + 'loc2net' chain. If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted early in the INPUT, FORWARD and OUTPUT chains. If you