From cd00210273fef20ca5e34bf5f54c7ed40b5697e8 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 26 Aug 2007 15:09:27 +0000 Subject: [PATCH] Bring trunk up to date with 4.0 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7226 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/fallback.sh | 2 +- Shorewall-common/install.sh | 2 +- Shorewall-common/lib.base | 14 +++++++++++-- Shorewall-common/lib.cli | 28 ++++++-------------------- Shorewall-common/lib.config | 3 +++ Shorewall-common/modules | 1 + Shorewall-common/shorewall | 26 +++++++++++++++++------- Shorewall-common/shorewall-common.spec | 4 +++- Shorewall-common/uninstall.sh | 2 +- 9 files changed, 47 insertions(+), 35 deletions(-) diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index 16eaa7c5f..d4fe04a6a 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.2 +VERSION=4.0.3 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 221d25f66..5e05b19d6 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.2 +VERSION=4.0.3 usage() # $1 = exit status { diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index 065ebc6fe..c5efc377b 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -35,7 +35,7 @@ # SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=30405 +SHOREWALL_CAPVERSION=40003 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -1004,6 +1004,8 @@ determine_capabilities() { COMMENTS= ADDRTYPE= TCPMSS_MATCH= + HASHLIMIT_MATCH= + NFQUEUE_TARGET= qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes @@ -1072,6 +1074,9 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes + qt $IPTABLES -A fooX1234 -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + qt $IPTABLES -A fooX1234 -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes + qt $IPTABLES -F fooX1234 qt $IPTABLES -X fooX1234 @@ -1119,6 +1124,8 @@ report_capabilities() { report_capability "Comments" $COMMENTS report_capability "Address Type Match" $ADDRTYPE report_capability "TCPMSS Match" $TCPMSS_MATCH + report_capability "Hashlimit Match" $HASHLIMIT_MATCH + report_capability "NFQUEUE Target" $NFQUEUE_TARGET fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1161,6 +1168,9 @@ report_capabilities1() { report_capability1 MANGLE_FORWARD report_capability1 COMMENTS report_capability1 ADDRTYPE + report_capability1 TCPMSS_MATCH + report_capability1 HASHLIMIT_MATCH + report_capability1 NFQUEUE_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION } @@ -1331,7 +1341,7 @@ do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispos fi if [ ${#prefix} -gt 29 ]; then - prefix=`echo "$prefix" | truncate 29` + prefix="`echo "$prefix" | truncate 28` " error_message "WARNING: Log Prefix shortened to \"$prefix\"" fi diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli index f8add9542..2796dc87a 100644 --- a/Shorewall-common/lib.cli +++ b/Shorewall-common/lib.cli @@ -147,12 +147,10 @@ packet_log() # $1 = number of messages { local options - [ -n "$realtail" ] && options="-n$1" - if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then - $LOGREAD | grep 'IN=.* OUT=' | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ | tail $options + $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ else - $LOGREAD | grep 'IN=.* OUT=' | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ | tail $options + $LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ fi } @@ -173,15 +171,8 @@ show_tc() { fi } - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_tc ${interface%:} - ;; - *) - ;; - esac + ip -o link list | while read inx interface details; do + show_one_tc ${interface%:} done } @@ -202,15 +193,8 @@ show_classifiers() { fi } - ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - show_one_classifier ${interface%:} - ;; - *) - ;; - esac + ip -o link list | while read inx interface details; do + show_one_classifier ${interface%:} done } diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config index 3e9090863..d1e846406 100644 --- a/Shorewall-common/lib.config +++ b/Shorewall-common/lib.config @@ -506,6 +506,9 @@ setup_ipsec() { if [ -s ${TMP_DIR}/ipsec ]; then progress_message "$DOING ipsec..." [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." + f=ipsec + else + return fi ;; esac diff --git a/Shorewall-common/modules b/Shorewall-common/modules index b9a6f01cd..8abd2afb4 100644 --- a/Shorewall-common/modules +++ b/Shorewall-common/modules @@ -102,6 +102,7 @@ loadmodule sch_sfq loadmodule sch_ingress loadmodule sch_htb loadmodule cls_u32 +loadmodule act_police # # Extensions # diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall index 17c3791ad..d01856065 100755 --- a/Shorewall-common/shorewall +++ b/Shorewall-common/shorewall @@ -1,6 +1,6 @@ #!/bin/sh # -# Shorewall Packet Filtering Firewall Control Program - V3.4 +# Shorewall Packet Filtering Firewall Control Program - V4.0 # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # @@ -156,9 +156,9 @@ get_config() { [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages if [ -n "$(syslog_circular_buffer)" ]; then - LOGREAD="logread" + LOGREAD="logread | tac" elif [ -f $LOGFILE ]; then - LOGREAD="cat $LOGFILE" + LOGREAD="tac $LOGFILE" else echo "LOGFILE ($LOGFILE) does not exist!" >&2 exit 2 @@ -1282,7 +1282,7 @@ usage() # $1 = exit status echo " add [:] ... " echo " allow
..." echo " check [ -e ] [ -C {shell|perl} ] [ ]" - echo " clear" + echo " clear [ -f ]" echo " compile [ -e ] [ -C {shell|perl} ] [ ] " echo " delete [:] ... " echo " drop
..." @@ -1307,7 +1307,7 @@ usage() # $1 = exit status echo " save [ ]" echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]" echo " start [ -f ] [ -n ] [ -C {shell|perl} ] [ ]" - echo " stop" + echo " stop [ -f ]" echo " status" echo " try [ -C {shell|perl} ] [ ]" echo " version [ -a ]" @@ -1542,15 +1542,27 @@ case "$COMMAND" in shift start_command $@ ;; - stop|reset|clear) + stop|clear) + if [ "x$2" = x-f ]; then + [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore + shift; + fi + [ $# -ne 1 ] && usage 1 get_config export NOROUTES - [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore mutex_on $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND mutex_off ;; + reset) + [ $# -ne 1 ] && usage 1 + get_config + export NOROUTES + mutex_on + $SHOREWALL_SHELL $FIREWALL $debugging $nolock reset + mutex_off + ;; compile) get_config Yes shift diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index 8a813a590..b173c3c05 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.0.2 +%define version 4.0.3 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -240,6 +240,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Mon Aug 13 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.3-1 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.2-1 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index 59ef6579d..776dd82de 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.2 +VERSION=4.0.3 usage() # $1 = exit status {