Tom Eastep
fba5847fa3
Merge branch 'master' of ssh://gitlab.com/shorewall/code
...
Merge remaining requests to the 5.2.9 path
2024-04-15 20:06:34 -07:00
Tom Eastep
2673e6e60c
Merge branch 'busybox-shell-fixes/v1' into 'master'
...
lib.cli-std: fix two shell errors when AUTOMAKE is false
See merge request shorewall/code!14
2024-04-16 03:05:57 +00:00
Tom Eastep
d1a8c19712
Merge branch 'support-SAFESTOP-under-systemd-in-debian/v1' into 'master'
...
Support `SAFESTOP` under systemd in Debian
See merge request shorewall/code!11
2024-04-16 02:59:32 +00:00
Tom Eastep
3c77d83260
Merge branch 'clean-test-ipset' into 'master'
...
Destroy the temporary IP set in the cleanup function
See merge request shorewall/code!13
2024-04-16 02:46:50 +00:00
Tom Eastep
c94c3c5720
Merge branch 'master' of ssh://gitlab.com/shorewall/code
...
Merge Socket6 patch into 5.2.9
2024-04-15 15:58:31 -07:00
Tom Eastep
d8e43cee2b
Merge branch 'master' into 'master'
...
Rewrite gethostbyname2 and inet_ntop to newer getaddrinfo and getnameinfo
See merge request shorewall/code!5
2024-04-15 22:57:24 +00:00
Tom Eastep
17d77ddc84
Merge branch 'master' of ssh://gitlab.com/shorewall/code
...
Merge from Master
2024-04-15 14:42:14 -07:00
Tom Eastep
d3f3a59d6f
Merge branch 'master' of ssh://gitlab.com/shorewall/code
...
Merge changes that occurred while I was inactive
2024-04-15 14:29:10 -07:00
Tom Eastep
b619f1333e
Correct status of optional interface during 'disable'
...
- If <interface>.status contains 0 but the interface's routing table has
been deleted, then 'disable' would not correct the file.
- This simple change corrects that problem.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-04-15 13:29:08 -07:00
Tom Eastep
90444bdc44
Correct comment
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-29 15:48:45 -07:00
Tuomo Soini
5a66c1d9d6
AllowICMPs: certificate path advertisment source must be fe80::/10
...
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
de23e641f7
AllowICMPs: certificate path solicitation source must be :: or fe80::/10
...
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
a8294ed495
AllowICMPs: listener report v2 source must be :: or fe80::/10
...
rfc3810 section-5
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
393cd5043d
AllowICMPs: router-advertisment source must be fe80::/10
...
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tuomo Soini
0de5e88018
AllowICMPs: allowing redirects is a security issue and not required
...
Also redirect source must be fe80::/10
Signed-off-by: Tuomo Soini <tis@foobar.fi>
2024-03-19 11:21:03 +02:00
Tom Eastep
44671e906d
Correct typo
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-13 18:16:51 -07:00
Tom Eastep
160c259866
Silly documentation change
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-11 12:32:45 -07:00
Tom Eastep
8f826ce70d
Avoid 'ip' error messages due to missing optional interface
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-10 12:55:34 -07:00
Tom Eastep
895428c7c1
Handle the case where a single host exclusion specifies multiple nets
...
Also reorganize the exclusion code to make it self-contained within
add_common_rules()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-10 10:30:33 -07:00
Tom Eastep
0855bc4187
Create /etc/iproute2/rt_tables if it doesn't exist
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-09 15:52:49 -08:00
Tom Eastep
3e52a6c005
Remove interface status files during 'stop/clear' processing
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-08 16:13:05 -08:00
Tom Eastep
8ce3f23464
Set AUTOHELPERS=No in the samples
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-08 13:27:47 -08:00
Tom Eastep
467cc4c252
Correct src-dst single exclusion
...
Match the destination address in the output chain
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-08 11:50:49 -08:00
Tom Eastep
a9359d2610
Update $globals{VERSION}
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 15:41:15 -08:00
Tom Eastep
9479b83c48
Correct add_dbl_exclution_ijump()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 14:18:06 -08:00
Tom Eastep
f37a74a667
Add a comment
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 12:30:37 -08:00
Tom Eastep
0ecf0703dc
Correct classic blacklisting
...
- No filtering in the OUTPUT chain
- Correct ipsec filtering
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-07 12:26:59 -08:00
Tom Eastep
f1317f919f
Handle ipsec correctly in ipset-based dynamic blacklisting
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-06 20:26:58 -08:00
Tom Eastep
cbe2935fce
Handle 'nodbl' in complex host definitions
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-06 17:18:50 -08:00
Tom Eastep
a8718b9867
Clearify 'ip' in shorewall-hosts(5)
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-05 15:21:26 -08:00
Tom Eastep
a9c2ee3a76
Major cleanup of DYNAMIC_BLACKLIST code
...
1) Avoid having to parse the setting in the Zones, Misc and rules modules
2) Apply ipset match rule after dealing with exclusions rather than before
3) Correct handling of src-dst
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-05 14:45:41 -08:00
Tom Eastep
dfd40ee208
Factor out ipset match rule generateion
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-04 13:44:23 -08:00
Tom Eastep
8d0dba349c
Shorten DBL exclusion chain names
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-04 12:10:56 -08:00
Tom Eastep
f21d8b2a27
Correct parsing of the hosts file:
...
1) Fixed IPv6 parsing of the HOSTS column
2) Properly detect IPv4 loopback violations
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-03 09:54:33 -08:00
Tom Eastep
11fb1ab6cf
Insert comments into add_common_rules()
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 19:51:18 -08:00
Tom Eastep
e8f28fa564
Allow 'nodbl' for classic blacklisting
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 16:16:02 -08:00
Tom Eastep
337a4bd6ec
Use shorter names for dbl exclusion chains
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 14:54:45 -08:00
Tom Eastep
91d5dbb7ba
Fix some blacklisting bugs:
...
- src-dst didn't work
- typo in shorewall.conf(5)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 13:53:31 -08:00
Tom Eastep
4ca77b109c
Replace bizarre {dbl} encoding (what was I smoking when I wrote that code?)
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 10:40:12 -08:00
Tom Eastep
a96656a509
Clean up shorewall.conf(5)
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 09:52:16 -08:00
Tom Eastep
f928b4d6fc
Add a comment
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 08:45:46 -08:00
Tom Eastep
a3abafa98b
Add a 'nodbl' option for the hosts file.
...
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-03-02 08:33:36 -08:00
Jeremy Sowden
badf2fc9f0
Support SAFESTOP
under systemd
...
By default, in Debian and its derivatives, stopping the Shorewall
service executes `/sbin/shorewall clear`.
The `SAFESTOP` setting in /etc/default/shorewall is intended to stop the
service by calling `/sbin/shorewall stop`.
However, the systemd service files do not support this. Instead,
install a shell-script that sources /etc/default/shorewall and honours
`SAFESTOP` when stopping Shorewall and patch the service files to call
it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2023-09-09 12:48:07 +01:00
Jeremy Sowden
5e8ce7d073
lib.cli-std: fix two shell errors when AUTOMAKE is false
...
If `AUTOMAKE` is set to `no` in the config file, it is normalized to the
empty string.
This leads to two errors if `find` is provided by Busybox.
There is a conditional where `$AUTOMAKE` is not quoted when compared to
`recursive` leading to the following error:
/usr/share/shorewall/lib.cli-std: line 398: [: =: unary operator expected
In contrast to the non-Busybox case, we don't check for an empty
`$AUTOMAKE` before passing it as an argument to `-maxdepth`, leading to:
/usr/bin/find: Expected a positive decimal integer argument to -maxdepth, but got -type
Refactor the conditionals to eliminate code duplication and fix these two
bugs.
Link: https://gitlab.com/shorewall/code/-/issues/10
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2023-09-04 21:06:30 +01:00
Glop
450a16f730
Destroy the temporary IP set in the cleanup function
...
In the IP set capability tests, there is a race condition which
might prevent the removal of the temporary IP set immediately
after flushing the chain that uses this IP set: even though the
rules which used the IP set were deleted, the IP set might still
appear to be “in use by a kernel component.”
In case this happens, we add an extra call to `ipset -X` in the
`cleanup_iptables()` function, just to be sure that the temporary
IP set is indeed destroyed when the compiler exits.
2023-03-03 16:12:04 +01:00
Paul Gear
aae5baedfd
Merge branch 'idl0r_iptablesw' into 'master'
...
Improve iptables --wait check
See merge request shorewall/code!6
2023-02-01 02:47:31 +00:00
Paul Gear
95831e372f
Merge branch 'tor_metrics' into 'master'
...
Add TorMetrics macro
See merge request shorewall/code!7
2023-02-01 02:41:22 +00:00
Jeremy Sowden
5637385507
Document related man-pages in Debian systemd service files
...
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2023-01-31 22:50:18 +00:00
Vincas Dargis
c1e58f6faf
Add TorMetrics macro
...
Add macro for Tor metrics port.
See
https://support.torproject.org/relay-operators/relay-bridge-overloaded/
2022-09-18 15:08:54 +03:00
Christian Ruppert
8b0d829531
Check for wait option if we don't have capabilities
...
Only check for iptables --wait option if we don't already have existing
capabilities. If we have some and they're not up2date / don't match,
it will issue a warning anyway.
If a valid capabilities file exists, it will already cover whether we
can use --wait or not, that's what WAIT_OPTION is for.
Signed-off-by: Christian Ruppert <idl0r@qasl.de>
2022-04-02 11:52:10 +02:00