Snapshot 1.4.6_20030726

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@678 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-05-18 23:20:53 +02:00 · 2003-07-26 16:44:38 +00:00 · 2003-07-26 16:44:38 +00:00 · f7ea7cdd41
commit f7ea7cdd41
parent f8eb44095b
9 changed files with 69 additions and 77 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,53 +1,8 @@
-Changes since 1.4.5
+Changes since 1.4.6
-1) Worked around RH7.3 "service" anomaly.
+1) Added Smart Blacklisting.
-2) Implemented 'newnotsyn' interface option.
+2) Move determine_capabilities call to do_initialize to ensure that
   MANGLE_ENABLED is set before it is tested.
-3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES
+3) Fixed MAC address handling in the SOURCE column of tcrules.
   behavior in that case.
 4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges.
 5) Allow Shorewall to add aliases to other than the first subnet on an
   interface.
 6) Add support for load-balancing.
 7) Toned down the disclaimer for the 'check' command.
 8) Implemented support for the Connection Tracking Match extension in
   iptables 1.2.8/Kernel 2.4.21.
 9) Removed the NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
   parameters and replaced them with code that detects these
   capabilities.
 10) Added the SHOREWALL_SHELL configuraiton parameter.
 11) Fixed capability reporting (thanks to Simon Matter).
 12) Correct the implementation of destination IP list in DNAT[-] rules.
 13) Check for shells whose arithmetic support is broken.
 14) Moved IP Address manipulation functions to
    /usr/share/shorewall/functions.
 15. Added ipcalc command.
 16. Fixed handling of destination DNS names containing a "-"
 17. Make ip_range() smarter.
 18. Added /sbin/shorewall iprange command.
 19. Fixed handling of excluded zone processing in DNAT and REDIRECT
    rules (re-added the protocol to the rule). Fixed parsing of exclude
    zones.
 20. Display policy chain along with policy in 'check' command.
 21. Support Linux 2.6 compressed modules.
 22. Don't display DHCP message when there are no DHCP interface.
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=1.4.6
+VERSION=1.4.6-20030726
 usage() # $1 = exit status
 {
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -996,9 +996,9 @@ stop_firewall() {
    delete_proxy_arp
    [ -n "$CLEAR_TC" ] && delete_tc
-    setpolicy INPUT DROP
+    for chain in INPUT OUTPUT FORWARD; do
-    setpolicy OUTPUT DROP
+	setpolicy $chain DROP
-    setpolicy FORWARD DROP
+    done
    deleteallchains
@ -1564,7 +1564,7 @@ process_tc_rule()
 		    r="-s $source "
 		    ;;
 		~*)
-		    r=`mac_match $source`
+		    r="`mac_match $source` "
 		    ;;
 		$FW)
 		    chain=tcout
@ -3463,22 +3463,36 @@ initialize_netfilter () {
    echo $all_interfaces > $STATEDIR/interfaces
-    if [ -f /var/lib/shorewall/save ]; then
+    if [ -f /var/lib/shorewall/save -o -f /var/lib/shorewall/savedyn ]; then
 	echo "Restoring dynamic rules..."
 	if [ -f /var/lib/shorewall/savedyn ]; then
 	    while read target ignore1 ignore2 address rest; do
 		case $target in
 		    DROP|reject)
 			chains=`dynamic_chains_by_address $address`
 			for chain in ${chains:-dynamic}; do
 			    run_iptables2 -I $chain -s $address -j $target
 			done
 			;;
 		    *)
 			;;
 		esac
 	    done < /var/lib/shorewall/savedyn
 	fi
-	while read target ignore1 ignore2 address rest; do
+	if [ -f /var/lib/shorewall/save ]; then
-	    case $target in
+	    while read target ignore1 ignore2 address rest; do
-	    DROP|reject)
+		case $target in
-		chains=`dynamic_chains_by_address $address`
+		    DROP|reject)
-
+			run_iptables2 -A dynamic -s $address -j $target
-		for chain in ${chains:-dynamic}; do
+			;;
-		    run_iptables2 -I $chain -s $address -j $target
+		    *)
-		done
+			;;
-		;;
+		esac
-	    *)
+	    done < /var/lib/shorewall/save
-		;;
+	fi
 	esac
 	done < /var/lib/shorewall/save
    fi
    echo "Creating Interface Chains..."
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
-VERSION=1.4.6
+VERSION=1.4.6-20030726
 usage() # $1 = exit status
 {
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,6 +1,13 @@
 This is a minor release of Shorewall.
-Problems Corrected:
+Problems Corrected since version 1.4.6:
 1) Corrected problem in 1.4.6 where the MANGLE_ENABLED variable was
   being tested before it was set.
 2) Corrected handling of MAC addresses in the SOURCE column of the
   tcrules file. Previously, these addresses resulted in an invalid
   iptables command.
 None.
@ -8,7 +15,11 @@ Migration Issues:
 1) Once you have installed this version of Shorewall, you must 
   restart Shorewall before you may use the 'drop', 'reject', 'allow'
-   or 'save' commands. 
+   or 'save' commands.
 2) To maintain strict compatibility with previous versions, current
   uses of "shorewall drop" and "shorewall reject" should be replaced
   with "shorewall dropall" and "shorewall rejectall". 
 New Features:
@ -16,3 +27,8 @@ New Features:
   defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
   commands use the routing table to determine which of these chains is
   to be used for blacklisting the specified IP address(es).
   Two new commands ('dropall' and 'rejectall') have been introduced
   that do what 'drop' and 'reject' used to do; namely, when an address
   is blacklisted using these new commands, it will be blacklisted on
   all of your firewall's interfaces.
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -535,14 +535,14 @@ load_all_interfaces() {
 #
 save_dynamic_blacklist() {
-    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
+    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
    load_all_interfaces
-    > /var/lib/shorewall/save
+    > /var/lib/shorewall/savedyn
    for interface in $all_interfaces; do
-	if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/save; then
+	if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/savedyn; then
 	    echo "Error Saving the Dynamic Rules"
 	    return
 	fi
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 1.4.6
+%define version 1.4.6_20030726
 %define release 1
 %define prefix /usr
@ -105,6 +105,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Sat Jul 26 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6_20030726-1
 * Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.6-1
 * Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.6
+VERSION=1.4.6-20030726
 usage() # $1 = exit status
 {
--- a/Shorewall/zones
+++ b/Shorewall/zones
@ -7,6 +7,11 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
 # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR 
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
 #
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 loc	Local		Local networks