diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 4ad12a5b8..6884c8cff 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -73,11 +73,10 @@ Problems corrected in 4.0.1. 4.0.0. Previously, Shorewall was not started automatically at reboot after an upgrade using the RPM. -9) Shorewall-perl now detects dead policy file entries that result - when an entry is masked by an earlier entry. Example: - - all all REJECT info - loc net ACCEPT +9) Shorewall-perl was generating invalid iptables-restore input when a + log level was specified with the dropBcast and allowBcast builtin + actions and when a log level followed by '!' was used with any + builtin actions. Other changes in Shorewall 4.0.1. @@ -106,6 +105,12 @@ Other changes in Shorewall 4.0.1. capability has been relaxed. This allows Shorewall 4.0.1 to be used on releases like RHEL4 that con's support that capability. +3) Shorewall-perl now detects dead policy file entries that result + when an entry is masked by an earlier entry. Example: + + all all REJECT info + loc net ACCEPT + Migration Considerations: 1) Beginning with Shorewall 4.0.0, there is no single 'shorewall' diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index d323bbb6b..be1483a5b 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -658,20 +658,20 @@ sub process_actions3 () { if ( $capabilities{ADDRTYPE} ) { if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST'; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4'; + log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; + log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 '; } add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP'; } else { add_command $chainref, 'for address in $ALL_BCASTS; do'; push_cmd_mode $chainref; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address' if $level ne ''; + log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne ''; add_rule $chainref, '-d $address -j DROP'; pop_cmd_mode $chainref; add_command $chainref, 'done'; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne ''; + log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; } add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; @@ -682,20 +682,20 @@ sub process_actions3 () { if ( $capabilities{ADDRTYPE} ) { if ( $level ne '' ) { - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST'; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4'; + log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; + log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 '; } add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT'; } else { add_command $chainref, 'for address in $ALL_BCASTS; do'; push_cmd_mode $chainref; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address' if $level ne ''; + log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne ''; add_rule $chainref, '-d $address -j ACCEPT'; pop_cmd_mode $chainref; add_command $chainref, 'done'; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne ''; + log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; } add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT'; } @@ -792,6 +792,8 @@ sub process_actions3 () { $level = '' unless defined $level; $tag = '' unless defined $tag; + $level =~ s/!$//; + if ( $targets{$action} & BUILTIN ) { $level = '' if $level =~ /none!?/; $builtinops{$action}->($chainref, $level, $tag);