extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-23 05:01:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix ip forwarding restore bug

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8581 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-06-29 23:00:25 +00:00
parent 3899807b4a
commit c6a52d4fd9
3 changed files with 57 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 4.2.0-Beta3
1) Fix ip_forwarding vs the 'restore' command.
Changes in 4.2.0-Beta2 Changes in 4.2.0-Beta2
1) Only issue a warning on RFC 1918 violation. 1) Only issue a warning on RFC 1918 violation.

109
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.2.0 Beta 2. Shorewall 4.2.0 Beta 3.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 2 H I G H L I G H T S R E L E A S E 4 . 2 H I G H L I G H T S
@ -78,69 +78,16 @@ Migration Issues.
7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use 7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
ipset-based zones instead. ipset-based zones instead.
Problems Corrected in Shorewall 4.2.0 Beta 2 Problems corrected in Shorewall-perl-4.2.0 Beta3.
1) When 'norfc1918' was specified on an interface with an RFC 1918 IP 1) The 4.2.0-Beta2 change which defers setting up ip forwarding until
address, the compiled script would terminate without changing the the rules are in place did not handle the 'restore' command
state of the firewall. Under these circumstances, the script now correctly. So if '-f' is specified to the 'start' command and there
issues a warning message and continues. is a saved configuration, the setting of ip forwarding will not be
changed.
Problems Corrected in Shorewall-perl 4.2.0 Beta 2 Other Changes in Shoreall 4.2.0 Beta 3.
1) Except in /etc/shorewall/hosts, ipset names may now be preceded by
'!' to specify that matching IP addresses are not members of the
set.
Problems Corrected in Shorewall-shell 4.2.0 Beta 2.
1) When DYNAMIC_ZONES=Yes, certain configurations would produce an
invalid /var/lib/shorewall/chains file at run-time. The invalid file
contents resulted in errors during processing of the "shorewall add"
command.
Other Changes in Shoreall 4.2.0 Beta 2.
1) A 'save' extension script is added. The script is run after
iptables-save has completed successfully.
The 'load' and 'reload' commands copy the save script (if any) to
/etc/shorewall-lite/ on the remove firewall system. The 'export'
command copies the file to the same directory as the 'firewall' and
'firewall.conf' scripts.
I have the following commands in my 'save' script:
[ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup
ipset -S > /root/ipsets.save
These commands complement my 'init' script:
qt modprobe ifb numifbs=1
qt ip link set dev ifb0 up
if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < /root/ipsets.save
fi
Those two scripts allow me to save and restore the contents of my
ipsets automatically under Shorewall-perl/Shorewall-lite (my
routestopped file does not use ipsets).
2) A HELPER column is included in the tcrules file. The value in this
column names one of the Netfilter protocol 'helper' module sets
(ftp, sip, amanda, etc).
See http://www.shorewall.net/traffic_shaping.htm for an example.
3) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.
4) Farkas Levante has contributed a macro.Mail macro that covers SMTP,
SMTPS and submission.
None. None.
New Features in Shorewall 4.2. New Features in Shorewall 4.2.
@ -901,3 +848,43 @@ New Features in Shorewall 4.2.
not installed by default, Most distributions have this utility in not installed by default, Most distributions have this utility in
their repositories. their repositories.
39) A 'save' extension script is added. The script is run after
iptables-save has completed successfully.
The 'load' and 'reload' commands copy the save script (if any) to
/etc/shorewall-lite/ on the remove firewall system. The 'export'
command copies the file to the same directory as the 'firewall' and
'firewall.conf' scripts.
I have the following commands in my 'save' script:
[ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup
ipset -S > /root/ipsets.save
These commands complement my 'init' script:
qt modprobe ifb numifbs=1
qt ip link set dev ifb0 up
if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
ipset -X
ipset -R < /root/ipsets.save
fi
Those two scripts allow me to save and restore the contents of my
ipsets automatically under Shorewall-perl/Shorewall-lite (my
routestopped file does not use ipsets).
40) A HELPER column is included in the tcrules file. The value in this
column names one of the Netfilter protocol 'helper' module sets
(ftp, sip, amanda, etc).
See http://www.shorewall.net/traffic_shaping.htm for an example.
41) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.
42) Farkas Levante has contributed a macro.Mail macro that covers SMTP,
SMTPS and submission.

5
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -654,6 +654,11 @@ if [ $COMMAND = restore ]; then
else else
fatal_error "$iptables_save_file does not exist" fatal_error "$iptables_save_file does not exist"
fi fi
EOF
pop_indent;
setup_forwarding;
push_indent;
emit<<'EOF';
set_state "Started" set_state "Started"
else else
if [ $COMMAND = refresh ]; then if [ $COMMAND = refresh ]; then