Snapshot 1.4.6_20030726

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@678 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,53 +1,8 @@
-Changes since 1.4.5
+Changes since 1.4.6
 
-1) Worked around RH7.3 "service" anomaly.
+1) Added Smart Blacklisting.
 
-2) Implemented 'newnotsyn' interface option.
+2) Move determine_capabilities call to do_initialize to ensure that
+   MANGLE_ENABLED is set before it is tested.
 
-3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES
-   behavior in that case.
-
-4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges.
-
-5) Allow Shorewall to add aliases to other than the first subnet on an
-   interface.
-
-6) Add support for load-balancing.
-
-7) Toned down the disclaimer for the 'check' command.
-
-8) Implemented support for the Connection Tracking Match extension in
-   iptables 1.2.8/Kernel 2.4.21.
-
-9) Removed the NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
-   parameters and replaced them with code that detects these
-   capabilities.
-
-10) Added the SHOREWALL_SHELL configuraiton parameter.
-
-11) Fixed capability reporting (thanks to Simon Matter).
-
-12) Correct the implementation of destination IP list in DNAT[-] rules.
-
-13) Check for shells whose arithmetic support is broken.
-
-14) Moved IP Address manipulation functions to
-    /usr/share/shorewall/functions.
-
-15. Added ipcalc command.
-
-16. Fixed handling of destination DNS names containing a "-"
-
-17. Make ip_range() smarter.
-
-18. Added /sbin/shorewall iprange command.
-
-19. Fixed handling of excluded zone processing in DNAT and REDIRECT
-    rules (re-added the protocol to the rule). Fixed parsing of exclude
-    zones.
-
-20. Display policy chain along with policy in 'check' command.
-
-21. Support Linux 2.6 compressed modules.
-
-22. Don't display DHCP message when there are no DHCP interface.
+3) Fixed MAC address handling in the SOURCE column of tcrules.

Shorewall/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=1.4.6
+VERSION=1.4.6-20030726
 
 usage() # $1 = exit status
 {

Shorewall/firewall

@@ -996,9 +996,9 @@ stop_firewall() {
     delete_proxy_arp
     [ -n "$CLEAR_TC" ] && delete_tc
 
-    setpolicy INPUT DROP
-    setpolicy OUTPUT DROP
-    setpolicy FORWARD DROP
+    for chain in INPUT OUTPUT FORWARD; do
+	setpolicy $chain DROP
+    done
 
     deleteallchains
 
@@ -1564,7 +1564,7 @@ process_tc_rule()
 		    r="-s $source "
 		    ;;
 		~*)
-		    r=`mac_match $source`
+		    r="`mac_match $source` "
 		    ;;
 		$FW)
 		    chain=tcout
@@ -3463,22 +3463,36 @@ initialize_netfilter () {
 
     echo $all_interfaces > $STATEDIR/interfaces
 
-    if [ -f /var/lib/shorewall/save ]; then
+    if [ -f /var/lib/shorewall/save -o -f /var/lib/shorewall/savedyn ]; then
 	echo "Restoring dynamic rules..."
+	
+	if [ -f /var/lib/shorewall/savedyn ]; then
+	    while read target ignore1 ignore2 address rest; do
+		case $target in
+		    DROP|reject)
+			chains=`dynamic_chains_by_address $address`
+		    
+			for chain in ${chains:-dynamic}; do
+			    run_iptables2 -I $chain -s $address -j $target
+			done
+			;;
+		    *)
+			;;
+		esac
+	    done < /var/lib/shorewall/savedyn
+	fi
 
-	while read target ignore1 ignore2 address rest; do
-	    case $target in
-	    DROP|reject)
-		chains=`dynamic_chains_by_address $address`
-
-		for chain in ${chains:-dynamic}; do
-		    run_iptables2 -I $chain -s $address -j $target
-		done
-		;;
-	    *)
-		;;
-	esac
-	done < /var/lib/shorewall/save
+	if [ -f /var/lib/shorewall/save ]; then
+	    while read target ignore1 ignore2 address rest; do
+		case $target in
+		    DROP|reject)
+			run_iptables2 -A dynamic -s $address -j $target
+			;;
+		    *)
+			;;
+		esac
+	    done < /var/lib/shorewall/save
+	fi
     fi
 
     echo "Creating Interface Chains..."

Shorewall/install.sh

@@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
 
-VERSION=1.4.6
+VERSION=1.4.6-20030726
 
 usage() # $1 = exit status
 {

Shorewall/releasenotes.txt

@@ -1,6 +1,13 @@
 This is a minor release of Shorewall.
 
-Problems Corrected:
+Problems Corrected since version 1.4.6:
+
+1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
+   being tested before it was set.
+
+2) Corrected handling of MAC addresses in the SOURCE column of the
+   tcrules file. Previously, these addresses resulted in an invalid
+   iptables command.
 
 None.
 
@@ -8,7 +15,11 @@ Migration Issues:
 
 1) Once you have installed this version of Shorewall, you must 
    restart Shorewall before you may use the 'drop', 'reject', 'allow'
-   or 'save' commands. 
+   or 'save' commands.
+
+2) To maintain strict compatibility with previous versions, current
+   uses of "shorewall drop" and "shorewall reject" should be replaced
+   with "shorewall dropall" and "shorewall rejectall". 
 
 New Features:
 
@@ -16,3 +27,8 @@ New Features:
    defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
    commands use the routing table to determine which of these chains is
    to be used for blacklisting the specified IP address(es).
+
+   Two new commands ('dropall' and 'rejectall') have been introduced
+   that do what 'drop' and 'reject' used to do; namely, when an address
+   is blacklisted using these new commands, it will be blacklisted on
+   all of your firewall's interfaces.

Shorewall/shorewall

@@ -535,14 +535,14 @@ load_all_interfaces() {
 #
 save_dynamic_blacklist() {
 
-    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
+    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 
     load_all_interfaces
 
-    > /var/lib/shorewall/save
+    > /var/lib/shorewall/savedyn
 
     for interface in $all_interfaces; do
-	if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/save; then
+	if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/savedyn; then
 	    echo "Error Saving the Dynamic Rules"
 	    return
 	fi

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.6
+%define version 1.4.6_20030726
 %define release 1
 %define prefix /usr
 
@@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.4.6_20030726-1
 * Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-1
 * Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=1.4.6
+VERSION=1.4.6-20030726
 
 usage() # $1 = exit status
 {

Shorewall/zones

@@ -7,6 +7,11 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
+# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR 
+# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
+#
+# See http://www.shorewall.net/Documentation.htm#Nested
+#
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 loc	Local		Local networks