extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-26 15:39:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Open 4.4.5

Browse Source
This commit is contained in:
Tom Eastep 2009-11-21 11:08:50 -08:00
parent bce4d51a18
commit ecf6a0ec4a
19 changed files with 169 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall-lite/shorewall-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-lite %define name shorewall-lite
%define version 4.4.4 %define version 4.4.5
%define release 0base %define release 0base
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -100,6 +100,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0base - Updated to 4.4.4-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -327,7 +327,7 @@ sub initialize( $ ) {
TC_SCRIPT => '', TC_SCRIPT => '',
EXPORT => 0, EXPORT => 0,
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.4", VERSION => "4.4.5",
CAPVERSION => 40402 , CAPVERSION => 40402 ,
); );

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in Shorewall 4.4.5
None.
Changes in Shorewall 4.4.4 Changes in Shorewall 4.4.4
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.

2
Shorewall/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/known_problems.txt
View File

@ -1 +1 @@
There are no known problems in Shorewall version 4.4.3 There are no known problems in Shorewall version 4.4.5

269
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.4.4 Shorewall 4.4.5
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 4 H I G H L I G H T S R E L E A S E 4 . 4 H I G H L I G H T S
@ -174,41 +174,10 @@ Shorewall 4.4.4
'notrack' for the provider. 'notrack' for the provider.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 P R O B L E M S C O R R E C T E D I N 4 . 4 . 5
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) In some simple one-interface configurations, the following Perl None.
run-time error messages were issued:
Generating Rule Matrix...
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 649.
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 649.
Creating iptables-restore input...
2) The Shorewall operations log (specified by STARTUP_LOG) is now
secured 0600.
3) Previously, the compiler generated an incorrect test for interface
availability in the generated code for adding route rules. The
result was that the rules were always added, regardless of the
state of the provider's interface. Now, the rules are only added
when the interface is available.
4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly
specified in /etc/shorewall/tcclasses, duplicate class numbers
result. A typical error message is:
ERROR: Command "tc class add dev eth3 parent 1:1 classid
1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500"
Failed
Note that the class ID of the class being added is a duplicate of
the parent's class ID.
Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of
/etc/shorewall/tcclasses were rejected.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G
@ -217,103 +186,10 @@ Shorewall 4.4.4
None. None.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 4 N E W F E A T U R E S I N 4 . 4 . 5
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) The Shorewall packages now include a logrotate configuration file. None.
2) The limit of 15 entries in a port list has been relaxed in
/etc/shorewall/routestopped.
3) The following seemingly valid configuration produces a fatal
error reporting "Duplicate interface name (p+)"
/etc/shorewall/zones:
#ZONE TYPE
fw firewall
world ipv4
z1:world bport4
z2:world bport4
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:p+
z2 br1:p+
This error occurs because the Shorewall implementation requires
that each bridge port must have a unique name.
To work around this problem, a new 'physical' interface option has
been created. The above configuration may be defined using the
following in /etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:x+ - physical=p+
z2 br1:y+ - physical=p+
In this configuration, 'x+' is the logical name for ports p+ on
bridge br0 while 'y+' is the logical name for ports p+ on bridge
br1.
If you need to refer to a particular port on br1 (for example
p1023), you write it as y1023; Shorewall will translate that name
to p1023 when needed.
It is allowed to have a physical name ending in '+' with a logical
name that does not end with '+'. The reverse is not allowed; if the
logical name ends in '+' then the physical name must also end in
'+'.
This feature is not restricted to bridge ports. Beginning with this
release, the interface name in the INTERFACE column can be
considered a logical name for the interface, and the actual
interface name is specified using the 'physical' option. If no
'physical' option is present, then the physical name is assumed to
be the same as the logical name. As before, the logical interface
name is used throughout the rest of the configuration to refer to
the interface.
4) Previously, Shorewall has used the character '2' to form the name
of chains involving zones and/or the word 'all' (e.g., fw2net,
all2all). When zones names are given numeric suffixes, these
generated names are hard to read (e.g., foo1232bar). To make these
names clearer, a ZONE2ZONE option has been added.
ZONE2ZONE has a default value of "2" but can also be given the
value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
the two parts of the name with a hyphen (e.g., foo123-bar).
5) Only one instance of the following warning is now generated;
previously, one instance of a similar warning was generated for
each COMMENT encountered.
COMMENTs ignored -- require comment support in iptables/Netfilter
6) The shorewall and shorewall6 utilities now support a 'show
policies' command. Once Shorewall or Shorewall6 has been restarted
using a script generated by this version, the 'show policies'
command will list each pair of zones and give the applicable
policy. If the policy is enforced in a chain, the name of the chain
is given.
Example:
net => loc DROP using chain net2all
Note that implicit intrazone ACCEPT policies are not displayed for
zones associated with a single network where that network
doesn't specify 'routeback'.
7) The 'show' and 'dump' commands now support an '-l' option which
causes chain displays to include the rule number of each rule.
(Type 'iptables -h' and look for '--line-number')
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
@ -1215,3 +1091,138 @@ None.
exceeding this limit are dropped. The default value is 127 which is exceeding this limit are dropped. The default value is 127 which is
the value that earlier versions of Shorewall used. The option is the value that earlier versions of Shorewall used. The option is
ignored with a warning if the 'pfifo' option has been specified. ignored with a warning if the 'pfifo' option has been specified.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 4
----------------------------------------------------------------------------
1) In some simple one-interface configurations, the following Perl
run-time error messages were issued:
Generating Rule Matrix...
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 649.
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 649.
Creating iptables-restore input...
2) The Shorewall operations log (specified by STARTUP_LOG) is now
secured 0600.
3) Previously, the compiler generated an incorrect test for interface
availability in the generated code for adding route rules. The
result was that the rules were always added, regardless of the
state of the provider's interface. Now, the rules are only added
when the interface is available.
4) When TC_WIDE_MARKS=Yes and class numbers are not explicitly
specified in /etc/shorewall/tcclasses, duplicate class numbers
result. A typical error message is:
ERROR: Command "tc class add dev eth3 parent 1:1 classid
1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500"
Failed
Note that the class ID of the class being added is a duplicate of
the parent's class ID.
Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of
/etc/shorewall/tcclasses were rejected.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 4
----------------------------------------------------------------------------
1) The Shorewall packages now include a logrotate configuration file.
2) The limit of 15 entries in a port list has been relaxed in
/etc/shorewall/routestopped.
3) The following seemingly valid configuration produces a fatal
error reporting "Duplicate interface name (p+)"
/etc/shorewall/zones:
#ZONE TYPE
fw firewall
world ipv4
z1:world bport4
z2:world bport4
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:p+
z2 br1:p+
This error occurs because the Shorewall implementation requires
that each bridge port must have a unique name.
To work around this problem, a new 'physical' interface option has
been created. The above configuration may be defined using the
following in /etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:x+ - physical=p+
z2 br1:y+ - physical=p+
In this configuration, 'x+' is the logical name for ports p+ on
bridge br0 while 'y+' is the logical name for ports p+ on bridge
br1.
If you need to refer to a particular port on br1 (for example
p1023), you write it as y1023; Shorewall will translate that name
to p1023 when needed.
It is allowed to have a physical name ending in '+' with a logical
name that does not end with '+'. The reverse is not allowed; if the
logical name ends in '+' then the physical name must also end in
'+'.
This feature is not restricted to bridge ports. Beginning with this
release, the interface name in the INTERFACE column can be
considered a logical name for the interface, and the actual
interface name is specified using the 'physical' option. If no
'physical' option is present, then the physical name is assumed to
be the same as the logical name. As before, the logical interface
name is used throughout the rest of the configuration to refer to
the interface.
4) Previously, Shorewall has used the character '2' to form the name
of chains involving zones and/or the word 'all' (e.g., fw2net,
all2all). When zones names are given numeric suffixes, these
generated names are hard to read (e.g., foo1232bar). To make these
names clearer, a ZONE2ZONE option has been added.
ZONE2ZONE has a default value of "2" but can also be given the
value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
the two parts of the name with a hyphen (e.g., foo123-bar).
5) Only one instance of the following warning is now generated;
previously, one instance of a similar warning was generated for
each COMMENT encountered.
COMMENTs ignored -- require comment support in iptables/Netfilter
6) The shorewall and shorewall6 utilities now support a 'show
policies' command. Once Shorewall or Shorewall6 has been restarted
using a script generated by this version, the 'show policies'
command will list each pair of zones and give the applicable
policy. If the policy is enforced in a chain, the name of the chain
is given.
Example:
net => loc DROP using chain net2all
Note that implicit intrazone ACCEPT policies are not displayed for
zones associated with a single network where that network
doesn't specify 'routeback'.
7) The 'show' and 'dump' commands now support an '-l' option which
causes chain displays to include the rule number of each rule.
(Type 'iptables -h' and look for '--line-number')

4
Shorewall/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 4.4.4 %define version 4.4.5
%define release 0base %define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -106,6 +106,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog %changelog
* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0base - Updated to 4.4.4-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall6-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall6-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall6-lite/shorewall6-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6-lite %define name shorewall6-lite
%define version 4.4.4 %define version 4.4.5
%define release 0base %define release 0base
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@ -91,6 +91,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0base - Updated to 4.4.4-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

2
Shorewall6-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall6/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall6/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall6/shorewall6.spec
View File

@ -1,5 +1,5 @@
%define name shorewall6 %define name shorewall6
%define version 4.4.4 %define version 4.4.5
%define release 0base %define release 0base
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@ -95,6 +95,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog %changelog
* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0base - Updated to 4.4.4-0base
* Fri Nov 13 2009 Tom Eastep tom@shorewall.net * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

2
Shorewall6/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.4 VERSION=4.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {