diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 618c6d947..2f573b39c 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index bdd509484..7d5c11bdc 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init %define version 4.4.19 -%define release 0base +%define release 2 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -119,6 +119,10 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Apr 16 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-2 +* Wed Apr 13 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-1 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-0base * Sun Apr 03 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index f9f22d67c..3aece0ee8 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index f7dfa41e2..f60cae64d 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index bd270a11f..7c294fb23 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 4.4.19 -%define release 0base +%define release 2 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -103,6 +103,10 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Apr 16 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-2 +* Wed Apr 13 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-1 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-0base * Sun Apr 03 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 755ea78c4..ba4b027ac 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4a7b8efb7..ef3d03b12 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -411,7 +411,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.19", + VERSION => "4.4.19.2", CAPVERSION => 40417 , ); # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 2b220015e..8bd3f2cdb 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1887,7 +1887,7 @@ EOF emit 'delete_tc1' if $config{CLEAR_TC}; emit( 'undo_routing', - 'restore_default_route' + "restore_default_route $config{USE_DEFAULT_RT}" ); my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/; @@ -1907,7 +1907,6 @@ EOF process_routestopped; - add_rule $input, '-i lo -j ACCEPT'; add_rule $input, '-i lo -j ACCEPT'; add_rule $output, '-o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED}; diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index de0da9ec8..ce1456313 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -207,8 +207,9 @@ sub process_one_masq( ) } else { my $ports = $addr; $ports =~ s/^://; - $ports =~ s/:/-/; - validate_portpair( $proto, $ports ); + my $portrange = $ports; + $portrange =~ s/-/:/; + validate_portpair( $proto, $portrange ); $addrlist .= "--to-ports $ports "; $exceptionrule = do_proto( $proto, '', '' ); } diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 72407177a..759c5f7bb 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -730,7 +730,7 @@ sub start_providers() { emit ( '#', '# Capture the default route(s) if we don\'t have it (them) already.', '#', - '[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', + "[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route", '#', '# Initialize the file that holds \'undo\' commands', '#', @@ -758,13 +758,21 @@ sub finish_providers() { emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); - emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; + + if ( $config{USE_DEFAULT_RT} ) { + emit ( " while qt \$IP -$family route del default table " . MAIN_TABLE . '; do', + ' true', + ' done', + '' + ); + } + emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", 'else', ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' ); if ( $config{RESTORE_DEFAULT_ROUTE} ) { - emit ' restore_default_route && error_message "NOTICE: Default route restored"' + emit qq( restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored") } else { emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table"); } @@ -775,7 +783,7 @@ sub finish_providers() { emit ( '#', '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved', '#', - 'restore_default_route' , + "restore_default_route $config{USE_DEFAULT_RT}" , '' ); } @@ -871,7 +879,7 @@ sub setup_providers() { push_indent; emit "\nundo_routing"; - emit 'restore_default_route'; + emit "restore_default_route $config{USE_DEFAULT_RT}"; if ( $config{NULL_ROUTE_RFC1918} ) { emit ( '#', diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 7461fa468..425b7c546 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -504,40 +504,57 @@ undo_routing() { } +# +# Save the default route +# +save_default_route() { + awk \ + 'BEGIN {default=0;}; \ + /^default / {default=1; print; next}; \ + /nexthop/ {if (default == 1 ) {print ; next} }; \ + { default=0; };' +} + # # Restore the default route that was in place before the initial 'shorewall start' # -restore_default_route() { +replace_default_route() # $1 = USE_DEFAULT_RT +{ + # + # default_route and result are inherited from the caller + # + if [ -n "$default_route" ]; then + case "$default_route" in + *metric*) + # + # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0 + # + [ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored" + default_route= + ;; + *) + qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored" + result=0 + default_route= + ;; + esac + fi +} + +restore_default_route() # $1 = USE_DEFAULT_RT +{ local result + result=1 if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then local default_route default_route= local route - result=1 while read route ; do case $route in default*) - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a route with a metric -- we only replace the one with metric == 0 - # - qt $IP -4 route delete default metric 0 && \ - progress_message "Default Route with metric 0 deleted" - ;; - *) - qt $IP -4 route replace $default_route && \ - result=0 && \ - progress_message "Default Route (${default_route# }) restored" - ;; - esac - - break - fi - + replace_default_route $1 default_route="$default_route $route" ;; *) @@ -546,6 +563,20 @@ restore_default_route() { esac done < ${VARDIR}/default_route + replace_default_route $1 + + if [ $result = 1 ]; then + # + # We didn't restore a default route with metric 0 + # + if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then + # + # But we added a default route with metric 0 + # + qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted" + fi + fi + rm -f ${VARDIR}/default_route fi diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 588fd89b8..8cf782756 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -492,40 +492,57 @@ undo_routing() { } +# +# Save the default route +# +save_default_route() { + awk \ + 'BEGIN {default=0;}; \ + /^default / {default=1; print; next}; \ + /nexthop/ {if (default == 1 ) {print ; next} }; \ + { default=0; };' +} + # # Restore the default route that was in place before the initial 'shorewall start' # -restore_default_route() { +replace_default_route() # $1 = USE_DEFAULT_RT +{ + # + # default_route and result are inherited from the caller + # + if [ -n "$default_route" ]; then + case "$default_route" in + *metric*) + # + # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0 + # + [ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored" + default_route= + ;; + *) + qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored" + result=0 + default_route= + ;; + esac + fi +} + +restore_default_route() # $1 = USE_DEFAULT_RT +{ local result + result=1 if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then local default_route default_route= local route - result=1 while read route ; do case $route in - default) - if [ -n "$default_route" ]; then - case "$default_route" in - *metric*) - # - # Don't restore a route with a metric -- we only replace the one with metric == 0 - # - qt $IP -6 route delete default metric 0 && \ - progress_message "Default Route with metric 0 deleted" - ;; - *) - qt $IP -6 route replace $default_route && \ - result=0 && \ - progress_message "Default Route (${default_route# }) restored" - ;; - esac - - break - fi - + default*) + replace_default_route $1 default_route="$default_route $route" ;; *) @@ -534,6 +551,20 @@ restore_default_route() { esac done < ${VARDIR}/default_route + replace_default_route $1 + + if [ $result = 1 ]; then + # + # We didn't restore a default route with metric 0 + # + if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then + # + # But we added a default route with metric 0 + # + qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted" + fi + fi + rm -f ${VARDIR}/default_route fi diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 761b27a49..48c1896ac 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,17 @@ +Changes in Shorewall 4.4.19.2 + +None. + +Changes in Shorewall 4.4.19.1 + +1) Eliminate silly duplicate rule when stopped. + +2) Don't believe that all nexthop routes are default routes. + +3) Restore :- in masq file. + +4) Correct default route safe/restore. + Changes in Shorewall 4.4.19 Final 1) Update release documents. diff --git a/Shorewall/install.sh b/Shorewall/install.sh index bf7bd17e8..e398469ca 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { @@ -331,7 +331,7 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer # Install wait4ifup # -install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755 +install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup 0755 echo echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup" @@ -827,7 +827,7 @@ cd Perl install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755 echo -echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl" +echo "Compiler installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl" # # Install the params file helper # diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index e521b4c56..9f103a1ec 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -1,3 +1,22 @@ 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. + Corrected in Shorewall 4.4.19.1 + +2) There is a harmless duplicate ACCEPT rule in the INPUT filter chain + when the firewall is stopped. + + Corrected in Shorewall 4.4.19.1 + +3) Shorewall interprets all 'nexthop' routes as default routes when + analyzing the pre-start routing configuration. This can lead to + unwanted default routes when the firewall was started or stopped. + + Corrected in Shorewall 4.4.19.1 + +3) A defect introduced in Shorewall 4.4.17 broke the ability to + specify ':-' in the ADDRESS column of + /etc/shorewall/masq. + + Corrected in Shorewall 4.4.19.1 + diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 3021c65f5..769f392fb 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 9 + S H O R E W A L L 4 . 4 . 1 9 . 2 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,6 +13,36 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.19.2 + +None. + +4.4.19.1 + +1) A duplicate ACCEPT rule in the INPUT chain has been eliminated when + the firewall is stopped. + +2) A defect introduced in Shorewall 4.4.17 broke the ability to + specify ':-' in the ADDRESS column of + /etc/shorewall/masq. + +3) Several long-standing defects having to do with default route + save/restore have been corrected in the Multi-ISP implementation. + + a) Shorewall previously interpreted all 'nexthop' routes as + default routes when analyzing the pre-start routing + configuration. This could lead to unwanted default routes when + the firewall was started or stopped. + + b) The default route with metric 0 was usually not restored + during 'stop' processing. + + c) If there were multiple default routes in the main table prior + to 'shorewall start' and USE_DEFAULT_RT was set, only the + first one with metric 0 was deleted. + +4.4.19 + 1) Corrected a problem in optimize level 4 that resulted in the following compile-time failure. diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 44803ae9f..67111feb4 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.19 -%define release 0base +%define release 2 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -109,6 +109,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat Apr 16 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-2 +* Wed Apr 13 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-1 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-0base * Sun Apr 03 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index cabe7b382..0f2d287c1 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index fff6b9367..f74a3180d 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index a2501be95..4f00a484a 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite %define version 4.4.19 -%define release 0base +%define release 2 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -94,6 +94,10 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat Apr 16 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-2 +* Wed Apr 13 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-1 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-0base * Sun Apr 03 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 21c27d693..aa68dd84c 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 0802eaa85..43564dd44 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index a530beff0..ddb9c4e1f 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 %define version 4.4.19 -%define release 0base +%define release 2 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,6 +98,10 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Apr 16 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-2 +* Wed Apr 13 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-1 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-0base * Sun Apr 03 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 6ee42606a..4a4eb6e45 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19 +VERSION=4.4.19.2 usage() # $1 = exit status {