extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Periodic elimination of trailing white space

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-27 11:16:18 -07:00
parent f33912d5f7
commit f7eb3c3d8c
25 changed files with 113 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Contrib/swping
View File

@ -224,7 +224,7 @@ while : ; do
# One of the interfaces changed state -- restart Shorewall
#
echo $if1_state > $VARDIR/${IF1}.status
echo $if2_state > $VARDIR/${IF2}.status
echo $if2_state > $VARDIR/${IF2}.status
eval $COMMAND
state_changed=
fi

4
Shorewall/Contrib/swping.init
View File

@ -32,7 +32,7 @@
### BEGIN INIT INFO
# Provides: swping
# Required-Start: shorewall
# Should-Start:
# Should-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
@ -87,7 +87,7 @@ case "$command" in
echo "swping is running"
exit 0
else
echo "swping is stopped"
echo "swping is stopped"
exit 3
fi
;;

2
Shorewall/Macros/macro.BitTorrent
View File

@ -5,7 +5,7 @@
#
# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
#
# If you are running BitTorrent 3.2 or later, you should use the
# If you are running BitTorrent 3.2 or later, you should use the
# BitTorrent32 macro.
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/

2
Shorewall/Macros/macro.IPPserver
View File

@ -15,7 +15,7 @@
# Example for a two-interface firewall which acts as a print
# server for loc:
# IPPserver/ACCEPT loc $FW
#
#
# NOTE: If you want both to serve requests for local printers and
# listen to requests for remote printers (i.e. your CUPS server is
# also a client), you need to apply the rule twice, e.g.

6
Shorewall/Macros/macro.template
View File

@ -304,9 +304,9 @@
# #removed from Netfilter in kernel
# #version 2.6.14).
#
# MARK Specifies a MARK value to match. Must be empty or
# MARK Specifies a MARK value to match. Must be empty or
# '-' if the macro is to be used within an action.
#
#
# [!]value[/mask][:C]
#
# Defines a test on the existing packet or connection
@ -341,7 +341,7 @@
# [!]limit[:mask]
#
# May be used to limit the number of simultaneous
# connections from each individual host to limit
# connections from each individual host to limit
# connections. Requires connlimit match in your kernel
# and iptables. While the limit is only checked on rules
# specifying CONNLIMIT, the number of current connections

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -98,7 +98,7 @@ sub process_accounting_rule( ) {
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
my $rule2 = 0;
my $jump = 0;
unless ( $action eq 'COUNT' ) {
if ( $action eq 'DONE' ) {
$target = 'RETURN';
@ -166,7 +166,7 @@ sub process_accounting_rule( ) {
fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
}
} else {
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
$chainref->{ipsec} = $dir;
}
} elsif ( $ipsec ne '-' ) {

2
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -195,7 +195,7 @@ sub split_action ( $ ) {
$action = $2 ? $3 : '';
$max = 2;
}
my @a = split( /:/ , $action, 4 );
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
$target = shift @a unless $target;

40
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -628,7 +628,7 @@ sub delete_reference( $$ ) {
#
# In the first function, the rule number is zero-relative. In the second function,
# the rule number is one-relative. In the first function, if the rule number is < 0, then
# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
# inserted at the front of the chain and the chain's 'blacklist' member incremented.
#
sub insert_rule1($$$)
@ -733,7 +733,7 @@ sub move_rules( $$ ) {
for ( @{$chain1->{rules}} ) {
adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/;
}
if ( $debug ) {
my $rule = $blacklist;
trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
@ -754,7 +754,7 @@ sub move_rules( $$ ) {
} else {
shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
}
delete_chain $chain1;
$count;
@ -789,7 +789,7 @@ sub copy_rules( $$ ) {
# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
#
my $rule = shift @rules1;
$rule =~ / -j ([^\s])/;
my $chainb = $1;
@ -814,7 +814,7 @@ sub copy_rules( $$ ) {
trace( $chain2, 'A', 1 , $rules1[0]) if $debug;
unshift @$rules2, shift @rules1;
$chain1->{blacklist} = 0;
$chain2->{blacklist} = 1;
}
@ -823,7 +823,7 @@ sub copy_rules( $$ ) {
my $rule = @$rules2;
trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
}
push @$rules2, @rules1;
progress_message " $count rules from $chain1->{name} appended to $chain2->{name}";
@ -1078,10 +1078,10 @@ sub find_chain($$) {
my ($table, $chain) = @_;
assert( $table && $chain && $chain_table{$table} );
$chain_table{$table}{$chain};
}
#
# Create a chain if it doesn't exist already
#
@ -2787,11 +2787,11 @@ sub do_ipsec($$) {
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
my @options = split_list $ipsec, 'IPSEC options';
if ( @options == 1 ) {
if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
return do_ipsec_options $dir, 'ipsec', '';
}
}
if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
return do_ipsec_options $dir, 'none', '';
@ -2912,7 +2912,7 @@ sub mysplit( $ ) {
fatal_error "Missing ']' ($element)" unless @input;
$element .= ( ',' . shift @input );
}
fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
}
@ -3644,14 +3644,14 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# Log rule
#
log_rule_limit( $loglevel ,
$echainref ,
$chain,
log_rule_limit( $loglevel ,
$echainref ,
$chain,
$disposition eq 'reject' ? 'REJECT' : $disposition ,
'' ,
$logtag ,
'' ,
$logtag ,
'add' ,
'' )
'' )
if $loglevel;
#
# Generate Final Rule
@ -3764,14 +3764,14 @@ sub promote_blacklist_rules() {
# Copy 'blacklst''s references since they will change in the following loop
#
my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
for my $chain1ref ( @references ) {
assert( $chain1ref->{blacklist} == 1 );
my $copied = 0;
my $rule = $chain1ref->{rules}[0];
my $chain1 = $chain1ref->{name};
for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
unless ( $chain2ref->{builtin} ) {
#
@ -3984,7 +3984,7 @@ sub load_ipsets() {
' fi' ,
' fi' ,
);
if ( @ipsets ) {
emit '';

2
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -445,7 +445,7 @@ EOF
my $config_dir = $globals{CONFIGDIR};
emit<<"EOF";
set_state Started $config_dir
set_state Started $config_dir
run_restored_exit
else
if [ \$COMMAND = refresh ]; then

6
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1841,7 +1841,7 @@ sub read_a_line(;$) {
embedded_perl( $1 );
next;
}
}
}
my $count = 0;
#
@ -2928,12 +2928,12 @@ sub get_configuration( $ ) {
if ( $units && $units ne 'sec' ) {
my $expire = 60000; # 1 minute in milliseconds
if ( $units ne 'min' ) {
$expire *= 60; #At least an hour
$expire *= 24 if $units eq 'day';
}
$limit .= "--hashlimit-htable-expire $expire ";
}
} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {

6
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -189,7 +189,7 @@ sub validate_4net( $$ ) {
if ( $1 ) {
fatal_error "An ipset list ($net) is not allowed in this context";
} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
fatal_error "An ipset name ($net) is not allowed in this context";
fatal_error "An ipset name ($net) is not allowed in this context";
} else {
fatal_error "Invalid ipset name ($net)";
}
@ -306,7 +306,7 @@ sub resolve_proto( $ ) {
# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
#
$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
}
}
@ -553,7 +553,7 @@ sub validate_6net( $$ ) {
if ( $1 ) {
fatal_error "An ipset list ($net) is not allowed in this context";
} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
fatal_error "An ipset name ($net) is not allowed in this context";
fatal_error "An ipset name ($net) is not allowed in this context";
} else {
fatal_error "Invalid ipset name ($net)";
}

16
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -341,7 +341,7 @@ sub validate_policy()
add_or_modify_policy_chain( $zone, $zone1 );
add_or_modify_policy_chain( $zone1, $zone );
}
}
}
}
}
@ -496,13 +496,13 @@ sub setup_syn_flood_chains() {
my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN";
log_rule_limit( $level ,
$synchainref ,
$chainref->{name} ,
'DROP',
$globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
'' ,
'add' ,
log_rule_limit( $level ,
$synchainref ,
$chainref->{name} ,
'DROP',
$globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
'' ,
'add' ,
'' )
if $level ne '';
add_rule $synchainref, '-j DROP';

10
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -849,7 +849,7 @@ sub handle_optional_interfaces( $ ) {
if ( @$interfaces ) {
my $require = $config{REQUIRE_INTERFACE};
verify_required_interfaces( shift );
emit( 'HAVE_INTERFACE=', '' ) if $require;
@ -860,9 +860,9 @@ sub handle_optional_interfaces( $ ) {
if ( $wildcards ) {
#
# We must consider all interfaces with an address in $family -- generate a list of such addresses.
# We must consider all interfaces with an address in $family -- generate a list of such addresses.
#
emit( '',
emit( '',
'for interface in $(find_all_interfaces1); do',
);
@ -904,10 +904,10 @@ sub handle_optional_interfaces( $ ) {
if ( $wildcards ) {
emit( "$case)" );
push_indent;
if ( $wild ) {
emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
push_indent;
push_indent;
emit ( 'if interface_is_usable $interface; then' );
} else {
emit ( "if interface_is_usable $physical; then" );

34
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1064,7 +1064,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$action = "NFQUEUE --queue-num $paramval";
} elsif ( $actiontype & SET ) {
require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
fatal_error "$action rules require a set name parameter" unless $param;
fatal_error "$action rules require a set name parameter" unless $param;
} else {
fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
}
@ -1531,7 +1531,7 @@ sub process_section ($) {
@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
}
$section = $sect;
}
@ -1698,13 +1698,13 @@ sub generate_dest_rules( $$$$ ) {
if ( $type2 == VSERVER ) {
for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) {
add_jump( $chainref,
add_jump( $chainref,
$exclusion ,
0,
join('', $match, match_dest_net( $net ) ) )
join('', $match, match_dest_net( $net ) ) )
}
}
} else {
@ -1718,7 +1718,7 @@ sub generate_dest_rules( $$$$ ) {
sub generate_source_rules( $$$$ ) {
my ( $outchainref, $z1, $z2, $match ) = @_;
my $chain = rules_target ( $z1, $z2 );
if ( $chain ) {
#
# Not a CONTINUE policy with no rules
@ -1726,16 +1726,16 @@ sub generate_source_rules( $$$$ ) {
for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
my $ipsec_match = match_ipsec_in $z1 , $hostref;
my $exclusion = source_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) {
generate_dest_rules( $outchainref,
$exclusion,
$z2,
$z2,
join('', match_source_net( $net ), $match , $ipsec_match )
);
}
}
}
}
}
}
#
@ -1780,11 +1780,11 @@ sub handle_loopback_traffic() {
for my $typeref ( values %{$source_hosts_ref} ) {
for my $hostref ( @{$typeref->{'%vserver%'}} ) {
my $exclusion = source_exclusion( $hostref->{exclusions}, $natref);
for my $net ( @{$hostref->{hosts}} ) {
add_jump( $natout, $exclusion, 0, match_source_net( $net ), 0, $rulenum++ );
}
}
}
}
}
}
@ -1873,7 +1873,7 @@ sub generate_matrix() {
if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst};
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
if ( $simple ) {
#
# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
@ -1881,7 +1881,7 @@ sub generate_matrix() {
for my $zone1 ( @zones ) {
my $ruleschain = rules_chain( $zone, $zone1 );
my $ruleschainref = $filter_table->{$ruleschain};
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
}
@ -1899,12 +1899,12 @@ sub generate_matrix() {
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
}
}
}
}
next if $simple;
#
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
#
@ -2028,7 +2028,7 @@ sub generate_matrix() {
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
my $exclusions = $hostref->{exclusions};
for my $net ( @{$hostref->{hosts}} ) {
my $dest = match_dest_net $net;

22
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -297,7 +297,7 @@ sub process_tc_rule( ) {
}
$restriction = DESTIFACE_DISALLOW;
ensure_mangle_chain($target);
$sticky++;
@ -1462,7 +1462,7 @@ sub process_secmark_rule() {
O => 'tcout' , );
my %state = ( N => 'NEW' ,
E => 'ESTABLISHED' ,
E => 'ESTABLISHED' ,
ER => 'ESTABLISHED,RELATED' );
my ( $chain , $state, $rest) = split ':', $chainin , 3;
@ -1470,7 +1470,7 @@ sub process_secmark_rule() {
fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
my $chain1= $chns{$chain};
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
@ -1488,22 +1488,22 @@ sub process_secmark_rule() {
$disposition =~ s/ .*//;
expand_rule( ensure_mangle_chain( $chain1 ) ,
expand_rule( ensure_mangle_chain( $chain1 ) ,
$restrictions{$chain1} ,
$state .
do_proto( $proto, $dport, $sport ) .
do_user( $user ) .
do_test( $mark, $globals{TC_MASK} ) ,
$source ,
$dest ,
'' ,
$target ,
'' ,
$source ,
$dest ,
'' ,
$target ,
'' ,
$disposition,
'' );
progress_message "Secmarks rule \"$currentline\" $done";
}
#
@ -1622,7 +1622,7 @@ sub setup_tc() {
first_entry "$doing $fn...";
process_secmark_rule while read_a_line;
clear_comment;
}

20
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -160,7 +160,7 @@ our %reservedName = ( all => 1,
# }
#
# The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
# the same order as the interfaces are encountered in the configuration files.
# the same order as the interfaces are encountered in the configuration files.
#
our @interfaces;
our %interfaces;
@ -804,7 +804,7 @@ sub chain_base($) {
#
return $name if $name;
#
# Remember initial value
# Remember initial value
#
my $key = $chain;
#
@ -882,7 +882,7 @@ sub process_interface( $$ ) {
} else {
$zoneref->{bridge} = $interface;
}
fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
}
@ -950,7 +950,7 @@ sub process_interface( $$ ) {
if ( $zone ) {
fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
} else {
} else {
fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
}
@ -1178,7 +1178,7 @@ sub map_physical( $$ ) {
#
# Returns true if passed interface matches an entry in /etc/shorewall/interfaces
#
# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in
# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in
# %interfaces.
#
sub known_interface($;$)
@ -1195,7 +1195,7 @@ sub known_interface($;$)
my $root = $interfaceref->{root};
if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
my $physical = map_physical( $interface, $interfaceref );
my $copyref = { options => $interfaceref->{options},
bridge => $interfaceref->{bridge} ,
name => $i ,
@ -1392,7 +1392,7 @@ sub verify_required_interfaces( $ ) {
my $wait = $interfaces{$interface}{options}{wait};
emit q() unless $first-- > 0;
if ( $wait ) {
my $physical = get_physical $interface;
@ -1431,7 +1431,7 @@ sub verify_required_interfaces( $ ) {
}
emit( ";;\n" );
pop_indent;
pop_indent;
@ -1697,7 +1697,7 @@ sub process_host( ) {
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
}
}
}
my $optionsref = { dynamic => 0 };
@ -1723,7 +1723,7 @@ sub process_host( ) {
}
}
fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
$optionsref = \%options;
}

6
Shorewall/Perl/prog.footer6
View File

@ -22,11 +22,11 @@ checkkernelversion() {
local kernel
kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
if [ $kernel -lt 20624 ]; then
error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
return 1
else
else
return 0
fi
}
@ -296,7 +296,7 @@ case "$COMMAND" in
echo "$g_product is stopped"
status=4
fi
if [ -f ${VARDIR}/state ]; then
state="$(cat ${VARDIR}/state)"
case $state in

2
Shorewall/Perl/prog.header
View File

@ -509,7 +509,7 @@ undo_routing() {
#
restore_default_route() {
local result
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=

2
Shorewall/Perl/prog.header6
View File

@ -497,7 +497,7 @@ undo_routing() {
#
restore_default_route() {
local result
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=

4
Shorewall/configfiles/findgw
View File

@ -3,11 +3,11 @@
#
# /etc/shorewall/findgw
#
# The code in this file is executed when Shorewall is trying to detect the
# The code in this file is executed when Shorewall is trying to detect the
# gateway through an interface in /etc/shorewall/providers that has GATEWAY
# specified as 'detect'.
#
# The function should echo the IP address of the gateway if it knows what
# The function should echo the IP address of the gateway if it knows what
# it is; the name of the interface is in $1.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional

2
Shorewall/configfiles/restored
View File

@ -4,7 +4,7 @@
# /etc/shorewall/restored
#
# Add commands below that you want to be executed after shorewall has
# completed a 'restore' command.
# completed a 'restore' command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

2
Shorewall/configfiles/secmarks
View File

@ -10,4 +10,4 @@

2
Shorewall/lib.cli
View File

@ -562,7 +562,7 @@ show_command() {
if [ -z "$LOGFILE" ]; then
LOGFILE=/var/log/messages
if [ -n "$(syslog_circular_buffer)" ]; then
g_logread="logread | tac"
elif [ -r $LOGFILE ]; then

2
Shorewall/lib.common
View File

@ -514,7 +514,7 @@ find_file()
#
# Set the Shorewall state
#
set_state () # $1 = state $2
set_state () # $1 = state $2
{
if [ $# -gt 1 ]; then
echo "$1 ($(date)) from $2" > ${VARDIR}/state

26
Shorewall/releasenotes.txt
View File

@ -31,7 +31,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
...
Shorewall configuration compiled to /var/lib/shorewall6/.start
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
/usr/share/shorewall6/lib.common: line 73:
/usr/share/shorewall6/lib.common: line 73:
[: -lt: unary operator expected
ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
[root@localhost shorewall6]#
@ -345,18 +345,18 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
defined as optional in the interfaces file.
o If there were no references matching the wildcard, then the
'optional' option was effectively ignored.
'optional' option was effectively ignored.
The new implementation:
- Insures valid shell variable names.
- Insures that shell variable names are unique.
- Handles interface names appearing in the INTERFACE column of the
providers file as a special case for 'optional'. If the name
matches a wildcard entry in the interfaces file then the
usability of the specific interface is tracked individually.
usability of the specific interface is tracked individually.
- Handles the availabilty of other interfaces matching a wildcard
as a group; if there is one useable interface in the group then
@ -392,7 +392,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
state match rather than conntrack match for UNTRACKED state
matching.
12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
did not clear the raw table.
13) An error message was incorrectly generated if a port range of the
@ -429,7 +429,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
The 'all' and 'any' keywords now support exclusion in the form of a
comma-separated list of excluded zones.
Examples:
Examples:
all!fw (same as all-).
any+!dmz,loc (All zones except 'dmz' and 'loc' and
@ -554,7 +554,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
fatal compilation error in REDIRECT rules.
4) A number of problems associated with Shorewall-init and Upstart
have been corrected.
have been corrected.
If you use Shorewall-init, then when upgrading to this version, be
sure to recompile all firewall scripts before you take interfaces
@ -564,7 +564,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
/usr/share/shorewall/configfiles/Makefile and rather issued the
following message:
install-file: command not found
install-file: command not found
This caused the Makefile to be omitted from RPMs as well.
@ -592,7 +592,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
2) Per-ip log rate limiting has been added in the form of the LOGLIMIT
option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
LOGBURST are ignored.
LOGBURST are ignored.
LOGRATE and LOGBURST are now deprecated.
@ -675,7 +675,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
Shorewall is running
State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
gateway:/etc/shorewall#
gateway:/etc/shorewall#
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 1
@ -708,7 +708,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
shorewall.conf and shorewall6.conf. It has been added.
6) Under some versions of Perl, a Perl run-time diagnostic was produced
when options were omitted from shorewall.conf or shorewall6.conf.
when options were omitted from shorewall.conf or shorewall6.conf.
7) If the following options were specified in /etc/shorewall/interfaces
for an interface with '-' in the ZONE column, then these options
@ -729,7 +729,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
9) Previously, if nets= was specified under Shorewall6, this error
would result:
ERROR: Invalid IPv6 address (224.0.0.0) :
ERROR: Invalid IPv6 address (224.0.0.0) :
/etc/shorewall6/interfaces (line 16)
----------------------------------------------------------------------------
@ -744,7 +744,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
See http://www.shorewall.net/Vserver.html for details.
2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
and shorewall6.conf.
and shorewall6.conf.
Traditionally, Shorewall has cleared the packet mark in the first
rule in the mangle FORWARD chain. This behavior is maintained with