More revert conflicts

Samples/one-interface/shorewall.conf

@@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No
 
 MODULE_SUFFIX=
 
+DISABLE_IPV6=Yes
+
 BRIDGING=No
 
 DYNAMIC_ZONES=No

Samples/three-interfaces/shorewall.conf

@@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No
 
 MODULE_SUFFIX=
 
+DISABLE_IPV6=Yes
+
 BRIDGING=No
 
 DYNAMIC_ZONES=No

Samples/two-interfaces/shorewall.conf

@@ -146,6 +146,8 @@ DELAYBLACKLISTLOAD=No
 
 MODULE_SUFFIX=
 
+DISABLE_IPV6=Yes
+
 BRIDGING=No
 
 DYNAMIC_ZONES=No

Shorewall/Perl/Shorewall/Compiler.pm

@@ -407,6 +407,9 @@ sub generate_script_3($) {
 		   '    rm -f ${VARDIR}/nat',
 		   "fi\n" );
 	}
+
+	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
+
     } else {
 	emit ( '#',
 	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',

Shorewall/Perl/Shorewall/Config.pm

@@ -188,7 +188,7 @@ our %config;
 #
 # Config options and global settings that are to be copied to object script
 #
-our @propagateconfig = qw/ MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
 our @propagateenv    = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
 #
 # From parsing the capabilities file or detecting capabilities
@@ -2306,8 +2306,7 @@ sub get_configuration( $ ) {
 
     default_yes_no 'ADMINISABSENTMINDED'        , '';
     default_yes_no 'BLACKLISTNEWONLY'           , '';
-
-    warning_message 'DISABLE_IPV6=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DISABLE_IPV6};
+    default_yes_no 'DISABLE_IPV6'               , '';
 
     unsupported_yes_no 'DYNAMIC_ZONES';
     unsupported_yes_no 'BRIDGING';

Shorewall/Perl/prog.functions

@@ -31,6 +31,14 @@ clear_firewall() {
 
     echo 1 > /proc/sys/net/ipv4/ip_forward
 
+    if [ -n "$DISABLE_IPV6" ]; then
+	if qt mywhich ip6tables; then
+	    ip6tables -P INPUT   ACCEPT 2> /dev/null
+	    ip6tables -P OUTPUT  ACCEPT 2> /dev/null
+	    ip6tables -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
     run_clear_exit
 
     set_state "Cleared"

Shorewall/Perl/prog.header

@@ -853,6 +853,28 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
+#
+# Disable IPV6
+#
+disable_ipv6() {
+    local foo
+    foo="$($IP -f inet6 addr list 2> /dev/null)"
+
+    if [ -n "$foo" ]; then
+	if qt mywhich ip6tables; then
+	    ip6tables -P FORWARD DROP
+	    ip6tables -P INPUT DROP
+	    ip6tables -P OUTPUT DROP
+	    ip6tables -F
+	    ip6tables -X
+	    ip6tables -A OUTPUT -o lo -j ACCEPT
+	    ip6tables -A INPUT -i lo -j ACCEPT
+	else
+	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
+	fi
+    fi
+}
+
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.

Shorewall/changelog.txt

@@ -1,8 +1,6 @@
 Changes in Shorewall 4.4.0-Beta4
 
-1)  Delete DISABLE_IPV6.
-
-2)  Add more macros.
+1)  Add more macros.
 
 Changes in Shorewall 4.4.0-Beta3
 

Shorewall/configfiles/shorewall.conf

@@ -137,6 +137,8 @@ DELAYBLACKLISTLOAD=No
 
 MODULE_SUFFIX=
 
+DISABLE_IPV6=Yes
+
 BRIDGING=No
 
 DYNAMIC_ZONES=No

Shorewall/releasenotes.txt

@@ -109,17 +109,33 @@ Shorewall 4.4.0 Beta 4
     As part of this change, the fallback.sh scripts are no longer
     released.
 
-9)  The DISABLE_IPV6 option has been removed from Shorewall.conf. If
-    you need to control IPV6 traffic, install Shorewall6.
-
 ----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0  Beta 4
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0  Beta 3
 ----------------------------------------------------------------------------
 
 1)  The BGP and OSFP macros released in Beta 3 contained rules to allow
     administrative access to the related routing daemons. Those rules
     have been deleted.
 
+2)  Previously, if Address Type Match was not available and an
+    interface on the firewall was (mis-)configured as shown below, then
+    REJECT policies in Shorewall-perl would drop packets addressed to
+    the interface rather than reject them.
+
+    3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 ...
+       inet 127.0.0.1/32 scope host venet0
+       inet 206.124.146.176/32 brd 206.124.146.176 ...
+
+    Note that a /32 should never be configured with a broadcast
+    address.
+
+3)  Due to a syntax ambiguity arising from the new dynamic zone
+    implementation, 'shorewall show dynamic' produced no output. It now
+    shows the contents of the dynamic blacklist as in earlier 
+    Shorewall releases.
+
+4)  The 'findgw' script produced an error if VERBOSITY > 0.
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
@@ -138,7 +154,7 @@ None.
  	 macro.RIPbi
 	 macro.mDNS
 
----------------------------------------------------------------------------
+----------------------------------------------------------------------------
                  N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------
 
@@ -767,16 +783,3 @@ None.
 26) A new extension script, 'lib.private' has been added. This file is
     intended to include declarations of shell functions that will be
     called by the other run-time extension scripts. 
-
-27) Three new macros have been contributed by Alex Wilms.
-
-    	  macro.BGP	
-	  macro.Citrix
-	  macro.OSPF
-	  macro.Razor
-
-28) The Shorewall compiler now checks for availability of the LOG
-    target if the configuration does any logging. This change involves
-    a new version of the capabilities file so users employing a
-    capabilties file should re-generate that file before trying to
-    start/restart Shorewall.