diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 1920c3697..696ca5ad7 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,9 @@ Changes in 3.2.0 Beta 5 1) Fix compilation problem on LEAF Bering. +2) Remove traffic shaping code from the 'firewall' script to avoid + unmaintainable code duplication. + Changes in 3.2.0 Beta 4 1) Fix 'routeback' with bridge ports. diff --git a/Shorewall/compiler b/Shorewall/compiler index e43785f82..29e4869e7 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -132,7 +132,6 @@ run_iptables() { fi save_command "$IPTABLES_COMMAND $@" - } # diff --git a/Shorewall/firewall b/Shorewall/firewall index eb10a3d1c..ca0e5152c 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -89,13 +89,15 @@ report () { # $* = message # Run iptables and if an error occurs, stop the firewall and quit # run_iptables() { - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + if [ -z "$KLUDGEFREE" ]; then + # + # Purge the temporary files that we use to prevent duplicate '-m' specifications + # + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + fi - if ! $IPTABLES $@ ; then + if ! $IPTABLES $@ ; then if [ -z "$STOPPING" ]; then error_message "ERROR: Command \"$IPTABLES $@\" Failed" stop_firewall @@ -124,11 +126,13 @@ run_iptables2() { # Quietly run iptables # qt_iptables() { - # - # Purge the temporary files that we use to prevent duplicate '-m' specifications - # - [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev - [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + if [ -z "$KLUDGEFREE" ]; then + # + # Purge the temporary files that we use to prevent duplicate '-m' specifications + # + [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev + [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange + fi qt $IPTABLES $@ } @@ -443,7 +447,9 @@ first_chains() #$1 = interface # iprange_echo() { - if [ -f $TMP_DIR/iprange ]; then + if [ -n "$KLUDGEFREE" ]; then + echo "-m iprange $@" + elif [ -f $TMP_DIR/iprange ]; then echo $@ else echo "-m iprange $@" @@ -456,24 +462,28 @@ iprange_echo() # get_set_flags() # $1 = set name and optional [levels], $2 = src or dst { + # + # Note: There is a lot of unnecessary evaluation in this function just so my text + # editor (kate) doesn't get lost trying to follow the shell syntax for highlighting. + # local temp setname=$1 options=$2 [ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1" case $1 in *\[[1-6]\]) - temp=${1#*\[} - temp=${temp%\]} - setname=${1%\[*} + eval temp='${1#*\[}' + eval temp='${temp%\]}' + eval setname='${1%\[*}' while [ $temp -gt 1 ]; do options="$options,$2" temp=$(($temp - 1)) done ;; *\[*\]) - options=${1#*\[} - options=${options%\]} - setname=${1%\[*} + eval options='${1#*\[}' + eval options='${options%\]}' + eval setname='${1%\[*}' ;; *) ;; @@ -487,7 +497,9 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst # physdev_echo() { - if [ -f $TMP_DIR/physdev ]; then + if [ -n "$KLUDGEFREE" ]; then + echo -m physdev $@ + elif [ -f $TMP_DIR/physdev ]; then echo $@ else echo -m physdev $@ @@ -1551,677 +1563,6 @@ setup_ecn() # $1 = file name fi } -# -# Set up an exclusion chain -# -build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list -{ - local c=excl_${EXCLUSION_SEQ} net - - EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 )) - - run_iptables -t $2 -N $c - - for net in $(separate_list $3); do - run_iptables -t $2 -A $c $(source_ip_range $net) -j RETURN - done - - for net in $(separate_list $4); do - run_iptables -t $2 -A $c $(dest_ip_range $net) -j RETURN - done - - case $2 in - filter) - eval exists_${c}=Yes - ;; - nat) - eval exists_nat_${c}=Yes - ;; - esac - - eval $1=$c -} - -# -# Arne Bernin's 'tc4shorewall' -# -setup_traffic_shaping() -{ - local mtu r2q tc_all_devices device mark rate ceil prio options devfile=$(find_file tcdevices) classfile=$(find_file tcclasses) devnum=1 - mtu=1500 - r2q=10 - - rate_to_kbit() { - local rateunit rate - rate=$1 - rateunit=$( echo $rate | sed -e 's/[0-9]*//') - rate=$( echo $rate | sed -e 's/[a-z]*//g') - - case $rateunit in - kbit) - rate=$rate - ;; - mbit) - rate=$(expr $rate \* 1024) - ;; - mbps) - rate=$(expr $rate \* 8192) - ;; - kbps) - rate=$(expr $rate \* 8) - ;; - *) - rate=$(expr $rate / 128) - ;; - esac - echo $rate - } - - calculate_quantum() { - local rate - rate=$1 - rate=$(rate_to_kbit $rate) - rate=$(expr $rate \* 128 / $r2q ) - if [ $rate -lt $mtu ] ; then - echo $mtu - else - echo $rate - fi - } - - # get given outbandwidth for device - get_outband_for_dev() { - local device inband outband - while read device inband outband; do - expandv device inband outband - tcdev="$device $inband $outband" - if [ "$1" = "$device" ] ; then - echo $outband - return - fi - done < $TMP_DIR/tcdevices - } - - check_tcclasses_options() { - while [ $# -gt 1 ]; do - shift - case $1 in - default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service) - ;; - tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f]) - ;; - *) - echo $1 - return 1 - ;; - esac - done - return 0 - } - - get_defmark_for_dev() { - local searchdev searchmark device ceil prio options - searchdev=$1 - - while read device mark rate ceil prio options; do - expandv device mark rate ceil prio options - options=$(separate_list $options | tr '[A-Z]' '[a-z]') - tcdev="$device $mark $rate $ceil $prio $options" - if [ "$searchdev" = "$device" ] ; then - list_search "default" $options && echo $mark &&return 0 - fi - done < $TMP_DIR/tcclasses - - return 1 - } - - check_defmark_for_dev() { - get_defmark_for_dev $1 >/dev/null - } - - validate_tcdevices_file() { - progress_message2 "Validating $devfile..." - local device local device inband outband - while read device inband outband; do - expandv device inband outband - tcdev="$device $inband $outband" - check_defmark_for_dev $device || fatal_error "Option default is not defined for any class in tcclasses for interface $device" - case $interface in - *:*|+) - fatal_error "Invalid Interface Name: $interface" - ;; - esac - list_search $device $devices && fatal_error "Interface $device is defined more than once in tcdevices" - tc_all_devices="$tc_all_devices $device" - done < $TMP_DIR/tcdevices - } - - validate_tcclasses_file() { - progress_message2 "Validating $classfile..." - local classlist device mark rate ceil prio bandw wrongopt allopts opt - allopts="" - while read device mark rate ceil prio options; do - expandv device mark rate ceil prio options - tcdev="$device $mark $rate $ceil $prio $options" - ratew=$(get_outband_for_dev $device) - options=$(separate_list $options | tr '[A-Z]' '[a-z]') - for opt in $options; do - case $opt in - tos=0x??) - opt="$opt/0xff" - ;; - esac - list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" - allopts="$allopts $device-$opt" - done - wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" - if [ -z "$ratew" ] ; then - fatal_error "device $device seems not to be configured in tcdevices" - fi - list_search "$device-$mark" $classlist && fatal_error "Mark $mark for interface $device defined more than once in tcclasses" - classlist="$classlist $device-$mark" - done < $TMP_DIR/tcclasses - } - - add_root_tc() { - local defmark - defmark=$(get_defmark_for_dev $device) - qt tc qdisc del dev $device root - qt tc qdisc del dev $device ingress - run_tc qdisc add dev $device root handle $devnum: htb default 1$defmark - run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $outband - run_tc qdisc add dev $device handle ffff: ingress - run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband} burst 10k drop flowid :1 - eval $(chain_base $device)_devnum=$devnum - devnum=$(($devnum + 1)) - } - - add_tc_class() { - local full classid tospair tosmask - full=$(get_outband_for_dev $device) - full=$(rate_to_kbit $full) - - if [ -z "$prio" ] ; then - prio=1 - fi - - case $rate in - *full*) - rate=$(echo $rate | sed -e "s/full/$full/") - rate="$(($rate))kbit" - ;; - esac - - case $ceil in - *full*) - ceil=$(echo $ceil | sed -e "s/full/$full/") - ceil="$(($ceil))kbit" - ;; - esac - - eval devnum=\$$(chain_base $device)_devnum - classid=$devnum:1$mark - - [ -n "$devnum" ] || fatal_error "Device $device not defined in $devfile" - - run_tc class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio quantum $(calculate_quantum $rate) - run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 - # add filters - if [ -n "$CLASSIFY_TARGET" ]; then - run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid - else - run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid - fi - #options - list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid - list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10" - list_search "tos-maximize-throughput" $options && options="$options tos=0x08/0x08" - list_search "tos-maximize-reliability" $options && options="$options tos=0x04/0x04" - list_search "tos-minimize-cost" $options && options="$options tos=0x02/0x02" - list_search "tos-normal-service" $options && options="$options tos=0x00/0x1e" - - for tospair in $(list_walk "tos=" $options) ; do - case $tospair in - */*) - tosmask=${tospair##*/} - ;; - *) - tosmask=0xff - ;; - esac - run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid - done - } - - strip_file tcdevices $devfile - strip_file tcclasses $classfile - - validate_tcdevices_file - validate_tcclasses_file - - if [ -s $TMP_DIR/tcdevices ]; then - progress_message2 "Processing $devfile..." - - while read device inband outband defmark ackmark; do - expandv device inband outband defmark ackmark - tcdev="$device $inband $outband" - add_root_tc - progress_message " TC Device $tcdev Added." - done < $TMP_DIR/tcdevices - fi - - if [ -s $TMP_DIR/tcclasses ]; then - progress_message2 "Processing $classfile..." - - while read device mark rate ceil prio options; do - expandv device mark rate ceil prio options - tcdev="$device $mark $rate $ceil $prio $options" - options=$(separate_list $options | tr '[A-Z]' '[a-z]') - add_tc_class - progress_message " TC Class \"$tcdev\" Added." - done < $TMP_DIR/tcclasses - fi - -} - -# -# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the -# default marking chain -# -process_tc_rule() -{ - chain=$MARKING_CHAIN target="MARK --set-mark" marktest= - - verify_designator() { - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" - chain=$1 - mark="${mark%:*}" - } - - do_ipp2p() - { - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - [ "x$port" = "x-" ] && port="ipp2p" - - case $proto in - *:*) - proto=${proto#*:} - ;; - *) - proto=tcp - ;; - esac - - r="${r}-p $proto -m ipp2p --${port} " - } - - add_a_tc_rule() { - r= - - if [ "x$source" != "x-" ]; then - case $source in - $FW:*) - [ $chain = tcpost ] || chain=tcout - r="$(source_ip_range ${source#*:}) " - ;; - *.*.*|+*|!+*) - r="$(source_ip_range $source) " - ;; - ~*) - r="$(mac_match $source) " - ;; - $FW) - [ $chain = tcpost ] || chain=tcout - ;; - *) - verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" - r="$(match_source_dev $source) " - ;; - esac - fi - - if [ "x${user:--}" != "x-" ]; then - - [ "$chain" != tcout ] && \ - fatal_error "Invalid use of a user/group: rule \"$rule\"" - - r="$r-m owner" - - case "$user" in - *+*) - r="$r --cmd-owner ${user#*+} " - user=${user%+*} - ;; - esac - - case "$user" in - *:*) - temp="${user%:*}" - [ -n "$temp" ] && r="$r --uid-owner $temp " - temp="${user#*:}" - [ -n "$temp" ] && r="$r --gid-owner $temp " - ;; - *) - [ -n "$user" ] && r="$r --uid-owner $user " - ;; - esac - fi - - [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " - - if [ "x$dest" != "x-" ]; then - case $dest in - *.*.*|+*|!+*) - r="${r}$(dest_ip_range $dest) " - ;; - *) - [ "$chain" = tcpre ] && fatal_error "Destination interface is not allowed in the PREROUTING chain" - verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" - r="${r}$(match_dest_dev $dest) " - ;; - esac - fi - - if [ "x${length:=-}" != "x-" ]; then - [ -n "$LENGTH_MATCH" ] || fatal_error "Your kernel and/or iptables does not have length match support. Rule: \"$rule\"" - r="${r}-m length --length ${length} " - fi - - multiport= - - case $proto in - ipp2p|IPP2P|ipp2p:*|IPP2P:*) - do_ipp2p - ;; - icmp|ICMP|1) - r="${r}-p icmp " - [ "x$port" = "x-" ] || r="${r}--icmp-type $port" - ;; - *) - [ "x$proto" = "x-" ] && proto=all - [ "x$proto" = "x" ] && proto=all - [ "$proto" = "all" ] || r="${r}-p $proto " - [ "x$port" = "x-" ] || r="${r}--dport $port " - ;; - esac - - [ "x$sport" = "x-" ] || r="${r}--sport $sport " - - if [ -n "${excludesources}${excludedests}" ]; then - build_exclusion_chain chain1 mangle "$excludesources" "$excludedests" - - run_iptables2 -t mangle -A $chain $r -j $chain1 - - run_iptables -t mangle -A $chain1 -j $target $mark - else - run_iptables2 -t mangle -A $chain $r -j $target $mark - fi - - } - - if [ "$mark" != "${mark%:*}" ]; then - case "${mark#*:}" in - p|P) - verify_designator tcpre - ;; - cp|CP) - verify_designator tcpre - target="CONNMARK --set-mark" - ;; - f|F) - verify_designator tcfor - ;; - cf|CF) - verify_designator tcfor - target="CONNMARK --set-mark" - ;; - c|C) - target="CONNMARK --set-mark" - mark=${mark%:*} - ;; - *) - chain=tcpost - target="CLASSIFY --set-class" - ;; - esac - - fi - - case $mark in - SAVE) - target="CONNMARK --save-mark --mask 255" - mark= - ;; - SAVE/*) - target="CONNMARK --save-mark --mask" - mark=${mark#*/} - verify_mark $mark - ;; - RESTORE) - target="CONNMARK --restore-mark --mask 255" - mark= - ;; - RESTORE/*) - target="CONNMARK --restore-mark --mask" - mark=${mark#*/} - verify_mark $mark - ;; - CONTINUE) - target=RETURN - mark= - ;; - *) - if [ "$chain" != tcpost ]; then - verify_mark $mark - fi - ;; - esac - - case $testval in - -) - ;; - !*:C) - marktest="connmark ! " - testval=${testval%:*} - testval=${testval#!} - ;; - *:C) - marktest="connmark " - testval=${testval%:*} - ;; - !*) - marktest="mark ! " - testval=${testval#!} - ;; - *) - [ -n "$testval" ] && marktest="mark " - ;; - esac - - if [ -n "$marktest" ] ; then - case $testval in - */*) - verify_mark ${testval%/*} - verify_mark ${testval#*/} - ;; - *) - verify_mark $testval - testval=$testval/255 - ;; - esac - fi - - excludesources= - - case ${sources:=-} in - *!*!*) - fatal_error "Invalid SOURCE in rule \"$rule\"" - ;; - !*) - if [ $(list_count $sourcess) -gt 1 ]; then - excludesources=${sources#!} - sources=- - fi - ;; - *!*) - excludesources=${sources#*!} - sources=${sources%!*} - ;; - esac - - excludedests= - - case ${dests:=-} in - *!*!*) - fatal_error "Invalid DEST in rule \"$rule\"" - ;; - !*) - if [ $(list_count $dests) -gt 1 ]; then - excludedests=${dests#*!} - dests=- - fi - ;; - *!*) - excludedests=${dests#*!} - dests=${dests%!*} - ;; - esac - - for source in $(separate_list $sources); do - for dest in $(separate_list $dests); do - for port in $(separate_list ${ports:=-}); do - for sport in $(separate_list ${sports:=-}); do - add_a_tc_rule - done - done - done - done - - progress_message " TC Rule \"$rule\" added" -} - -# -# Setup queuing and classes -# -setup_tc1() { - # - # Create the TC mangle chains - # - - createmanglechain tcpre - createmanglechain tcfor - createmanglechain tcout - createmanglechain tcpost - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports user testval length; do - expandv mark sources dests proto ports sports user testval length - rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length") - process_tc_rule - done < $TMP_DIR/tcrules - # - # Link to the TC mangle chains from the main chains - # - - if [ -n "$ROUTEMARK_INTERFACES" ]; then - # - # Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send - # packets that are not part of a marked connection to the 'tcpre/tcout' chains - # - run_iptables -t mangle -A PREROUTING -m mark --mark 0 -j tcpre - run_iptables -t mangle -A OUTPUT -m mark --mark 0 -j tcout - else - run_iptables -t mangle -A PREROUTING -j tcpre - run_iptables -t mangle -A OUTPUT -j tcout - fi - run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A POSTROUTING -j tcpost - - if [ -n "$TC_SCRIPT" ]; then - run_user_exit $TC_SCRIPT - elif [ -n "$TC_ENABLED" ]; then - setup_traffic_shaping - fi -} - -setup_tc() { - - progress_message2 "Setting up Traffic Control Rules..." - - setup_tc1 -} - -# -# Clear Traffic Shaping -# -delete_tc() -{ - clear_one_tc() { - tc qdisc del dev $1 root 2> /dev/null - tc qdisc del dev $1 ingress 2> /dev/null - - } - - run_user_exit tcclear - - run_ip link list | \ - while read inx interface details; do - case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; - esac - done -} - -# -# Refresh queuing and classes -# -refresh_tc() { - - progress_message2 "Refreshing Traffic Control Rules..." - - [ -n "$CLEAR_TC" ] && delete_tc1 - - [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre - - if qt $IPTABLES -t mangle -L $chain -n ; then - # - # Flush the TC mangle chains - # - run_iptables -t mangle -F tcfor - run_iptables -t mangle -F tcpre - run_iptables -t mangle -F tcout - run_iptables -t mangle -F tcpost - # - # Process the TC Rules File - # - strip_file tcrules - - while read mark sources dests proto ports sports user testval length; do - expandv mark sources dests proto ports sports user testval length - rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval $length") - process_tc_rule - done < $TMP_DIR/tcrules - else - setup_tc1 - fi - - if [ -n "$TC_SCRIPT" ]; then - run_user_exit $TC_SCRIPT - elif [ -n "$TC_ENABLED" ]; then - setup_traffic_shaping - fi - -} - -# # Display elements of a list with leading white space # display_list() # $1 = List Title, rest of $* = list to display @@ -2229,41 +1570,6 @@ display_list() # $1 = List Title, rest of $* = list to display [ $# -gt 1 ] && echo " $*" } -policy_rules() # $1 = chain to add rules to - # $2 = policy - # $3 = loglevel -{ - local target="$2" - - case "$target" in - ACCEPT) - [ -n "$ACCEPT_common" ] && run_iptables -A $1 -j $ACCEPT_common - ;; - DROP) - [ -n "$DROP_common" ] && run_iptables -A $1 -j $DROP_common - ;; - REJECT) - [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common - target=reject - ;; - QUEUE) - [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common - ;; - CONTINUE) - target= - ;; - *) - fatal_error "Invalid policy ($policy) for $1" - ;; - esac - - if [ $# -eq 3 -a "x${3}" != "x-" ]; then - log_rule $3 $1 $2 - fi - - [ -n "$target" ] && run_iptables -A $1 -j $target -} - # # Add a record to the blacklst chain # @@ -2463,10 +1769,6 @@ refresh_firewall() ecn=$(find_file ecn) [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - # - # Refresh Traffic Control - # - [ -n "$MANGLE_ENABLED" ] && refresh_tc run_user_exit refreshed @@ -3156,7 +2458,6 @@ do_initialize() { FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) - case ${IPSECFILE:=ipsec} in ipsec|zones) ;; @@ -3216,8 +2517,11 @@ do_initialize() { startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" fi - rm -f $TMP_DIR/physdev - rm -f $TMP_DIR/iprange + if [ -z "$KLUDGEFREE" ]; then + rm -f $TMP_DIR/physdev + rm -f $TMP_DIR/iprange + fi + } # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 92ef2baba..5fa5b0e00 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -29,7 +29,7 @@ Note to users upgrading from Shorewall 2.x or 3.0 Problems Corrected in 3.2.0 Beta 5 -1) On systems such as LEAF Bering that either don't have the 'mktemp' utility +1) On systems such as LEAF Bering that either don't have the 'mktemp' utility or whose 'mktemp' cannot create a temporary directory, firewall compilation failed with the message: @@ -40,7 +40,9 @@ Problems Corrected in 3.2.0 Beta 5 Other changes in 3.2.0 Beta 5 -None. +1) The "shorewall refresh" command no longer refreshes traffic shaping. + Use "shorewall restart" instead if you need to reprocess the + tcrules, tcdevices and tcclasses files. Migration Considerations: