Flag dynamically added host groups in /var/lib/shorewall/zones

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6344 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-15 12:14:32 +01:00 · 2007-05-14 14:51:27 +00:00 · 2007-05-14 14:51:27 +00:00 · e80887169f
commit e80887169f
parent 3aec0bd800
4 changed files with 78 additions and 65 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -1,5 +1,11 @@
 Changes in 3.9.8
 1)  Fix add/delete <interface>.
 2)  Fix do_proto() and 'use IPConfig' in Providers.pm.
 3)  Implement dynamic host group detection.
 Changes in 3.9.7
 1)  Clean up release notes.
--- a/Shorewall-common/lib.config
+++ b/Shorewall-common/lib.config
@ -390,7 +390,7 @@ validate_interfaces_file() {
 		    [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
 		    ;;
 		*)
-		    error_message "WARNING: Invalid option ($option) in record \"$r\""
+		    [ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\""
 		    ;;
 	    esac
 	done
--- a/Shorewall-common/lib.dynamiczones
+++ b/Shorewall-common/lib.dynamiczones
@ -126,9 +126,9 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 		    ;;
 		*)
 		    for h in $hostlist; do
-			list_search $h $hosts
+			list_search +$h $hosts
 			if [ "$?" -gt 0 ]; then
-			    newhostlist="$newhostlist $h"
+			    newhostlist="$newhostlist +$h"
 			else
 			    error_message "$h already in zone $zone"
 			fi
@ -155,6 +155,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
        # Isolate interface and host parts
        #
 	interface=${newhost%%:*}
 	interface=${interface#+}
 	host=${newhost#*:}
        #
        # If the zone passed in the command has a dnat chain then insert a rule in
@ -308,19 +309,25 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 	    for host in $hostlist; do
 		found=
 		for h in $temp; do
-		    if [ "$h" = "$host" ]; then
+		    if [ "$h" = "+$host" ]; then
 			found=Yes
 			break
 		    fi
 		    if [ "$h" = "$host" ]; then
 			found=No
 			break
 		    fi
 		done
 		[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
 		[ "$found" = No ] && startup_error "$host is a permanent member of zone $zone"
 	    done
 	    for h in $temp; do
 		found=
 		for host in $hostlist; do
-		    if [ "$h" = "$host" ]; then
+		    if [ "$h" = "+$host" ]; then
 			found=Yes
 			break
 		    fi
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 3.9.7
+Shorewall 3.9.8
 ----------------------------------------------------------------------------
                   R E L E A S E  H I G H L I G H T S
 ----------------------------------------------------------------------------
@ -15,74 +15,45 @@ Shorewall 3.9.7
 You must install Shorewall and at least one of the compiler packages
 (you may install them both).
-Problems corrected in 3.9.7.
+Problems corrected in 3.9.8.
-1)  Several problems relating to exclusion in the hosts file have been
+1)  The commands "shorewall add/delete <interface> <zone>" no longer
-    corrected.
+    case lots of error messages to be issued.
-    Symptoms included:
+2)  A port list in a SOURCE PORT(S) column now works when the DEST
    PORT(S) list is empty.
-        Access to an undefined value at Rules.pm line 1656.
+3)  A run-time error no longer occurs when an IP address is specified
-	Incorrect rule generation.
+    in the GATEWAY column of /etc/shorewall/providers.
-2)  Specifying 'maclist' in the hosts file's OPTION column now works.
+Other changes in Shorewall 3.9.8.
-3)  A number of problems with handling the hosts file have been
+1)  The "shorewall show zones" command now flags zone members that have
-    corrected. These problems are characterized by Perl run-time
+    been added using "shorewall add" by preceding them with a plus sign
-    errors and incorrect rules, including:
+    ("+").
-    -   Not an ARRAY reference at
+    Example:
        /usr/share/shorewall-perl/Shorewall/Rules.pm line 1420.
-    -   -A eth0_fwd -s 192.168.0.0/24-m policy --dir in --pol ipsec -j 
+    Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
 	HASH(0x8345924)->n{name} 
-4)  A value of 'detect' in the GATEWAY column of the providers file no
+    fw (firewall)
-    longer generates an error during [re]start.
+    net (ipv4)
        eth0:0.0.0.0/0
    loc (ipv4)
 	br0:0.0.0.0/0
 	eth4:0.0.0.0/0
 	eth5:0.0.0.0/0
 	+eth1:0.0.0.0/0
    dmz (ipv4)
 	eth3:0.0.0.0/0
    vpn (ipv4)
 	tun+:0.0.0.0/0
-5)  The command 'shorewall check -p' resulted in an indefinite loop.
+    In the above output, "eth1:0.0.0.0/0" was dynamically added to the
-
+    'loc' zone. As part of this change, "shorewall delete" will only
-6)  A number of problems having to do with SECTIONs in the rules file
+    delete entries that have been added dynamically. In earlier
-    have been corrected.
+    versions, any entry could be deleted although the ruleset was only
-
+    changed by deleting entries that had been added dynamically.
 7)  The mss zone option now works correctly.
 8)  The LOGBURST and LOGLIMIT options in shorewall.conf now work
    correctly
 9)  Previously, COMMENT lines could result in invalid iptables-restore
    input being generated. The quote marks around the comment string 
    were being removed during iptables-restore input generation.
 Other changes in Shorewall 3.9.7.
 1)  Shorewall-perl now validates all IP addresses and addresses ranges
    in rules. DNS names are resolved and an error is issued for any
    name that cannot be resolved.
 2)  Shorewall-perl now checks configuration files for the presense of
    characters that can cause problems if they are allowed into the
    generated firewall script:
    -	Double Quotes. These are prohibited except in the
        shorewall.conf and params files.
    -	Single Quotes. These are prohibited except in the
        shorewall.conf and params files and in COMMENT lines.
    -   Single back quotes. These are prohibited except in the 
 	shorewall.conf and params files.
    -   Backslash. Probibited except as the last character on a line to
        denote line continuation.
 3)  Macros may now invoke other macros with the restriction that such
    macros may not be invoked within an action body.
    When marcros are invoked recursively, the parameter passed to an
    invocation are automatically propagated to lower level macros.
    Macro invocations may be nested to a maximum level of 5.
 Migration Considerations:
@ -458,6 +429,35 @@ Migration Considerations:
    bi-directional macro definitions which use these as names as key
    words.
 9)  Shorewall-perl now validates all IP addresses and addresses ranges
    in rules. DNS names are resolved and an error is issued for any
    name that cannot be resolved.
 10) Shorewall-perl now checks configuration files for the presense of
    characters that can cause problems if they are allowed into the
    generated firewall script:
    -	Double Quotes. These are prohibited except in the
        shorewall.conf and params files.
    -	Single Quotes. These are prohibited except in the
        shorewall.conf and params files and in COMMENT lines.
    -   Single back quotes. These are prohibited except in the 
 	shorewall.conf and params files.
    -   Backslash. Probibited except as the last character on a line to
        denote line continuation.
 11) Under Shorewall-perl, macros may now invoke other macros with the
    restriction that such macros may not be invoked within an action
    body.
    When marcros are invoked recursively, the parameter passed to an
    invocation are automatically propagated to lower level macros.
    Macro invocations may be nested to a maximum level of 5.
 ----------------------------------------------------------------------------
                      P R E R E Q U I S I T E S
 ----------------------------------------------------------------------------