Commit Graph

1946 Commits

Author SHA1 Message Date
Tom Eastep
288c7b06dc Place sfilter jumps in the option chains
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-31 14:47:36 -08:00
Tom Eastep
4b8fb130ba Update copyright dates.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-31 14:15:25 -08:00
Tom Eastep
c2293f3d64 Eliminate the $blrules global in Shorewall::Rules
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-31 13:16:04 -08:00
Tom Eastep
d6bac484dc Allow the timeout to be specified in that 'safe' commands.
Also, allow a suffix (s, m or h) in the <timeout> paramater to the 'try' command.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-31 09:40:36 -08:00
Tom Eastep
64d3ac036b Disable BLACKLIST section 2011-12-30 20:25:54 -08:00
Tom Eastep
28f27c65aa Use SHA1 to shorten digests.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-30 14:58:49 -08:00
Tom Eastep
4d9a43a4dd Delete some 'dont_move' flags
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-30 11:31:08 -08:00
Tom Eastep
1d9a4c58e9 Cosmetic change with comments.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-30 10:59:23 -08:00
Tom Eastep
6f61293b08 Reduce the size of many configs by not copying long chains multiple times.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-30 10:27:58 -08:00
Tom Eastep
b63c7e0016 A bit of optimization in add_interface_options()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-30 08:08:28 -08:00
Tom Eastep
6bed5e5e55 Merge branch '4.4.27'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-30 07:28:14 -08:00
Tom Eastep
5b2f960db3 Disallow :P in CLASSIFY rules and complain if :F is used when the SOURCE or DEST is $FW.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-30 07:22:14 -08:00
Tom Eastep
1da7f52ed5 Copy output interface options rather than jump
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-29 18:49:47 -08:00
Tom Eastep
39f214208a Fix silly bug in the new option chain implementation
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-29 17:57:39 -08:00
Tom Eastep
6926bcdbb9 More refinements of the option chain stuff.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-29 14:52:07 -08:00
Tom Eastep
f9960a0c94 Restore blacklst and blackout chains
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-29 13:45:35 -08:00
Tom Eastep
2c441b5393 Copy option rules into interface chains if no blacklist
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-29 09:32:16 -08:00
Tom Eastep
bddfb4f41c Add output option chains
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-29 08:22:00 -08:00
Tom Eastep
03610181fd Disallow :P in CLASSIFY rules and complain if :F is used when the SOURCE or DEST is $FW.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-29 07:49:53 -08:00
Tom Eastep
3ca9577f04 Cruft removal
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-28 16:22:11 -08:00
Tom Eastep
8cdc83638e Don't allow PREROUTING CLASSIFY rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-28 14:07:12 -08:00
Tom Eastep
a98c85cbc4 Make 'audit' work on a converted blacklist file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-28 10:30:24 -08:00
Tom Eastep
eda918215d Option chain phase II implementation
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-28 10:29:15 -08:00
Tom Eastep
0518def9cf Merge branch '4.4.27' 2011-12-28 09:58:19 -08:00
Tom Eastep
09f58512be Make 'audit' work on a converted blacklist file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-28 09:34:34 -08:00
Tom Eastep
eff447ac11 Phase one option chain implementation.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-27 18:12:58 -08:00
Tom Eastep
ea9c59a297 Add an interface filter chain for each interface.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-27 13:52:44 -08:00
Tom Eastep
49eb84b9e2 Remove more helper/proto silliness
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-27 13:06:37 -08:00
Tom Eastep
8a8214704e Centralize checking for required proto with helper
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-27 13:04:19 -08:00
Tom Eastep
aa743f2886 Merge branch '4.4.27' 2011-12-27 13:02:08 -08:00
Tom Eastep
c5868ef6e4 Revert "Remove redundant check."
This reverts commit 53dd13cf15.
2011-12-27 13:01:27 -08:00
Tom Eastep
7721644209 Merge branch '4.4.27' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.27
Conflicts:
	Shorewall/Perl/Shorewall/Chains.pm
	Shorewall/Perl/Shorewall/Raw.pm
2011-12-27 12:32:13 -08:00
Tom Eastep
1c2ab238a5 Merge branch '4.4.27' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.27
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-26 13:22:30 -08:00
Tom Eastep
3541767881 Don't croak when adding gateway route fails for IPv6.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-26 11:58:06 -08:00
Tom Eastep
53dd13cf15 Remove redundant check.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-26 11:57:34 -08:00
Tom Eastep
5520a6d31d Validate helper<->protocol
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-24 09:24:01 -08:00
Tom Eastep
be4cb9d26a Validate helper<->protocol
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-23 17:55:13 -08:00
Tom Eastep
97354c8ce8 Detect CT_TARGET when LOAD_HELPERS_ONLY=No
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-23 11:59:51 -08:00
Tom Eastep
0e3ad6ff91 Omit the chain designator from an error message
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-23 07:51:12 -08:00
Tom Eastep
1c535ee0f9 Correct handling of a chain designator in CLASSIFY rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-23 07:44:16 -08:00
Tom Eastep
3081ab1da1 Correct RELATED_DISPOSITION error message
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-22 15:51:50 -08:00
Tom Eastep
ce735e9415 Allow a chain designator in CLASSIFY rules
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-22 15:41:16 -08:00
Tom Eastep
e93dbdcb99 Stop generation of superfluous routing rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-21 08:01:25 -08:00
Tom Eastep
c03fe0a076 Implement USE_LOGICAL_NAMES.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-20 16:03:56 -08:00
Tom Eastep
1c8f6d3856 Eliminate a variable
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-18 15:05:03 -08:00
Tom Eastep
c00068e08d Another correction to the 'CT' target
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-18 07:21:32 -08:00
Tom Eastep
a80b46be81 Allow a port number to be appended to a helper name
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-17 17:08:24 -08:00
Tom Eastep
ec848ebc01 Parenthesize qa/.../ in embedded Perl
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-17 10:09:23 -08:00
Tom Eastep
ba5db8753e Fix CT helpers
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-17 08:59:27 -08:00
Tom Eastep
9d66f34932 Allow config options to be used as shell variables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-15 12:52:22 -08:00
Tom Eastep
10d10b1c16 Remove a redundant capability test
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-15 12:52:06 -08:00
Tom Eastep
6194eceaa4 Restore text of 'Provider "..." compiled' message
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-15 12:51:39 -08:00
Tom Eastep
2142baca4f Avoid inappropriate RELATED,ESTABLISHED rules
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-06 19:04:43 -08:00
Tom Eastep
004d0bcc38 Allow rules in the RELATED section when there are non-default settions of
the new RELATED_* options.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-06 13:38:11 -08:00
Tom Eastep
d4957696d1 Update man pages and sample files
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-05 17:45:09 -08:00
Tom Eastep
439af55312 Implement RELATED_DISPOSITION and RELATED_LOG_LEVEL
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-05 16:08:17 -08:00
Tom Eastep
febe9e5222 Apply Chris Boot's fix for TC_ENABLED=Shared
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-05 12:22:48 -08:00
Tom Eastep
2cffae738f Initial implementation of CT target support in the 'notrack' file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-04 17:15:58 -08:00
Tom Eastep
a794027f63 Implement CT capability
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-04 14:35:53 -08:00
Tom Eastep
e7d2b1d4ed Consolidate the lib.common files.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-04 09:19:48 -08:00
Tom Eastep
6bb487bb68 Pass $CONFIG_PATH to compiler.pl
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-02 07:36:23 -08:00
Tom Eastep
8c6914d1a2 Don't deprecate 'optional' for shared providers
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-01 11:23:22 -08:00
Tom Eastep
a27f5655a7 Merge branch '4.4.26' 2011-12-01 10:41:22 -08:00
Tom Eastep
99bf7fb994 Don't do TC stuff during enable/disable of a shared provider
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-01 10:41:03 -08:00
Tom Eastep
568e3b2e5b Allow a provider name in addition to an interface name in enable/disable
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-01 10:32:54 -08:00
Tom Eastep
8f14485d67 Allow a provider name in addition to an interface name in enable/disable
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-01 10:30:42 -08:00
Tom Eastep
3110f7c74a Add enable/disable commands to the CLIs
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-01 10:25:51 -08:00
Tom Eastep
d8caa6498a Add tracing to Optimize 16.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-30 07:57:19 -08:00
Tom Eastep
9e149ca038 Correct default values during update
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-27 14:12:51 -08:00
Tom Eastep
61d5c6d6da Implement Shorewall::Chains::clone_rule()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-26 09:36:02 -08:00
Tom Eastep
3498076a96 Accurately compare rule key values that are array references.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-26 08:03:02 -08:00
Tom Eastep
15d95b6977 Fix SAME target.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-26 07:48:03 -08:00
Tom Eastep
5cdb74168f Correct port list capture with --multiport.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-25 16:22:23 -08:00
Tom Eastep
613e41c25a Enable OPT 16 in check -r; Suppress duplicate rules 2011-11-25 16:05:07 -08:00
Tom Eastep
90e03e1833 Even more tweaks to optimize 16
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-25 14:46:37 -08:00
Tom Eastep
71bbd7963c Some tweaks to optimize 16 2011-11-25 10:42:10 -08:00
Tom Eastep
f305da9d0d Require extended multi-port match for OPTIMIZE 16.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-24 10:57:09 -08:00
Tom Eastep
8d8a681f40 Implement optimization level 16
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-24 10:22:04 -08:00
Tom Eastep
4559c8b5d0 Tweaks to convert_blacklist()
- Reword an error message to handle both missing file and zero-sized file.
- Don't rename file that doesn't exist.
2011-11-21 12:13:39 -08:00
Tom Eastep
dffb79e7bd Handle empty blacklist file in 'update -b'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-20 17:02:01 -08:00
Tom Eastep
bd8ba435cd Avoid uninitialized value in hash element.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-20 16:24:42 -08:00
Tom Eastep
4d30811794 Implement 'show marks'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-20 12:29:17 -08:00
Tom Eastep
e5a6387695 Eliminate use of WIDE_TC_MARKS in the Tc module
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-20 08:45:16 -08:00
Tom Eastep
382309bc53 Derive default values for the mark-layout options
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-20 07:03:33 -08:00
Tom Eastep
83d7cfa76a Update documentation
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-19 15:18:43 -08:00
Tom Eastep
ae8aa3a45a More fixes for ZONE_BITS
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-19 08:19:38 -08:00
Tom Eastep
ab1b65d6a8 Fixes for blacklist conversion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-19 08:18:58 -08:00
Tom Eastep
4f9afc32ec Allow zone names in the MARK column when ZONE_BITS != 0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-18 07:23:24 -08:00
Tom Eastep
7c0cb69c29 Don't copy limited broadcast routes to provider tables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-18 07:07:51 -08:00
Tom Eastep
364b30fd9b Fix 'update -b' handling of missing files.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-18 06:26:37 -08:00
Tom Eastep
72f75c201c Implement zone automark
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-17 16:07:45 -08:00
Tom Eastep
96f5aec71f Add ZONE_BITS configuration option.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-17 10:40:47 -08:00
Tom Eastep
fe09646bed Make zone types a power of 2.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-17 09:23:39 -08:00
Tom Eastep
348c6c8cf7 Correct handling of LOGMARK
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-17 07:22:07 -08:00
Tom Eastep
d096b9399a Fix '\!' handling in validate_level()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-15 16:41:32 -08:00
Tom Eastep
afaf0d9de8 Trivial optimiation in validate_level()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-13 06:19:40 -08:00
Tom Eastep
28a1087cd4 Cleanup of rewritten validate_level()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-13 05:58:59 -08:00
Tom Eastep
73ed66b9b9 Add ULOG and NFLOG capabilities plus LOGMARK for IPv6
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-12 14:10:48 -08:00
Tom Eastep
ffec7a4d95 More corrections to wildcard interfaces
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-11 07:29:44 -08:00
Tom Eastep
04dfe26549 Remove two unused variables.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-11 05:23:37 -08:00