diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 9a6056511..22b64d24a 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -12,6 +12,8 @@ Changes in 4.0.0 Beta 6 6) First step to adding compiler debugging facility. +7) Assume that iptables-restore is in the same directory as $IPTABLES + Changes in 4.0.0 Beta 5 1) Fix undefined function call when both an input interface and an diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 7f9d83fbb..07b065c36 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.0.0 Beta 6 +Shorewall 4.0.0 Beta 7 ---------------------------------------------------------------------------- R E L E A S E H I G H L I G H T S ---------------------------------------------------------------------------- @@ -15,85 +15,31 @@ Shorewall 4.0.0 Beta 6 You must install Shorewall and at least one of the compiler packages (you may install them both). -Problems corrected in 4.0.0 Beta 6. +3) The facilities for supporting bridge/firewalls under earlier + releases are deprecated and their documentation is omitted from the + 4.0 distribution. New bridge support is implemented in the + Shorewall-perl compiler. This support utilizes the reduced-function + physdev match support available in Linux kernel 2.6.20 and later. -1) With Shorewall-perl, an invalid DISPOSITION in an - /etc/shorewall/maclist entry would cause Perl error messages to be - issued. +Problems corrected in 4.0.0 Beta 7. -2) Shorewall-perl now catches invalid interface names in the - /etc/shorewall/routestopped file. +None. -3) DYNAMIC_ZONES=Yes can now coexist with Shorewall-perl's 'bport' - zones. Those zones themselves may not be dynamically modified but - the presence of bport zones no longer causes the 'shorewall add' - command to fail. +Other changes in Shorewall 4.0.0 Beta 7 -Other changes in Shorewall 4.0.0 Beta 6 +1) When an /sbin/shorewall command that begins with 'debug' or 'trace' + invokes the Shorewall-perl compiler, the compiler will include + additional debugging information in its warning and error + messages. This additional information is intended to help the + people supporting Shorewall to diagnose the cause of the message. -1) When a Shorewall release includes detection of an additional - capability, existing capabilities files become out of - date. Previously, this condition was not detected. +2) The script generated by Shorewall-perl now assumes that + iptables-restore is in the same directory as the program specified + in the IPTABLES setting in Shorewall-conf. - Beginning with this release, each generated capabilities file - contains a CAPVERSION specification which defines the capabilities - version of the file. If the CAPVERSION in a capabilities file is - less than the current CAPVERSION, then Shorewall will issue the - following message: - - WARNING: is out of date -- it does not contain all of - the capabilities defined by Shorewall version - - where - - is the name of the capabilities file. - is the current Shorewall version. - - Existing capabilities files contain no CAPVERSION. When such a file - is read, Shorewall will issue this message: - - WARNING: may be not contain all of the capabilities defined - by Shorewall version - -2) When a directory is specified in a command such as 'start' or - 'compile', Shorewall now reads the shorewall.conf file (if any) in - that directory before deciding which compiler to use. So if - SHOREWALL_COMPILER is not specified in - /etc/shorewall/shorewall.conf and the -C option was not specified - on the run-line, then if both Shorewall-shell and Shorewall-perl - are installed, the additional shorewall.conf file is read to see if - it specifies a SHOREWALL_COMPILER. - -3) Previously, Shorewall-perl read /etc/protocols and /etc/services - during compiler startup to build internal protocol and service - tables. This had a fixed cost of up to one half second or more, - depending on the speed of the system and the distribution - (The /etc/services released with OpenSuSE 10.2 is over 14,000 - lines!!) These tables are now initialized by the Perl compiler - which speeds up compilation considerably. - - During installation, Shorewall generates the Perl module - /usr/share/shorewall-perl/Shorewall/Ports.pm, using your - /etc/protocols and /etc/services as input. - - To re-generate the module from those two files: - - 1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm - file. - 2. /usr/share/shorewall-perl/buildports.pl > \ - /usr/share/shorewall-perl/Shorewall/Ports.pm - - Note: If the buildports.pl program fails to run to a successful - completion during installation, a fallback version of - module will be installed. That fallback module was generated from - the /etc/protocols and /etc/services shipped with Ubuntu Feisty - Fawn. - - Even if the buildports.pl program runs successfully, the fallback - module is also installed as - /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you - encounter problems with the generated module, simply copy the - fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm. + If IPTABLES is not specified, then the iptables utility is located + using the PATH setting and the iptables-restore program from the + same directory is used. Migration Considerations: @@ -716,6 +662,29 @@ Migration Considerations: the MARK/CLASSIFY column of /etc/shorewall/tcrules against the classes generated by /etc/shorewall/tcclasses. +16) During installation, Shorewall generates the Perl module + /usr/share/shorewall-perl/Shorewall/Ports.pm, using your + /etc/protocols and /etc/services as input. + + To re-generate the module from those two files: + + 1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm + file. + 2. /usr/share/shorewall-perl/buildports.pl > \ + /usr/share/shorewall-perl/Shorewall/Ports.pm + + Note: If the buildports.pl program fails to run to a successful + completion during installation, a fallback version of + module will be installed. That fallback module was generated from + the /etc/protocols and /etc/services shipped with Ubuntu Feisty + Fawn. + + Even if the buildports.pl program runs successfully, the fallback + module is also installed as + /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you + encounter problems with the generated module, simply copy the + fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm. + ---------------------------------------------------------------------------- P R E R E Q U I S I T E S ---------------------------------------------------------------------------- diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 325935b74..e3776639f 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1956,7 +1956,7 @@ sub create_netfilter_load() { '', 'progress_message2 "Running iptables-restore..."', '', - 'iptables-restore < ${VARDIR}/.iptables-restore-input' + '$IPTABLES_RESTORE < ${VARDIR}/.iptables-restore-input' ); emitj( 'if [ $? != 0 ]; then', diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 419bebde7..e2ac901ec 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -172,6 +172,9 @@ sub generate_script_1() { ); } + emitj( 'IPTABLES_RESTORE=${IPTABLES}-restore', + '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' ); + append_file 'params' if $config{EXPORTPARAMS}; emitj ( '',