holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Delete DISABLE_IPV6 option

Browse Source
This commit is contained in:
Tom Eastep 2009-06-29 18:33:13 -07:00
parent 9dbafc59d0
commit 050375b211
10 changed files with 27 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples/one-interface/shorewall.conf
View File

@ -139,8 +139,6 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

2
Samples/three-interfaces/shorewall.conf
View File

@ -139,8 +139,6 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

2
Samples/two-interfaces/shorewall.conf
View File

@ -146,8 +146,6 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

3
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -407,9 +407,6 @@ sub generate_script_3($) {
' rm -f ${VARDIR}/nat', ' rm -f ${VARDIR}/nat',
"fi\n" ); "fi\n" );
} }
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else { } else {
emit ( '#', emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',

5
Shorewall/Perl/Shorewall/Config.pm
View File

@ -188,7 +188,7 @@ our %config;
# #
# Config options and global settings that are to be copied to object script # Config options and global settings that are to be copied to object script
# #
our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; our @propagateconfig = qw/ MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
# #
# From parsing the capabilities file or detecting capabilities # From parsing the capabilities file or detecting capabilities
@ -2306,7 +2306,8 @@ sub get_configuration( $ ) {
default_yes_no 'ADMINISABSENTMINDED' , ''; default_yes_no 'ADMINISABSENTMINDED' , '';
default_yes_no 'BLACKLISTNEWONLY' , ''; default_yes_no 'BLACKLISTNEWONLY' , '';
default_yes_no 'DISABLE_IPV6' , '';
warning_message 'DISABLE_IPV6=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DISABLE_IPV6};
unsupported_yes_no 'DYNAMIC_ZONES'; unsupported_yes_no 'DYNAMIC_ZONES';
unsupported_yes_no 'BRIDGING'; unsupported_yes_no 'BRIDGING';

8
Shorewall/Perl/prog.functions
View File

@ -31,14 +31,6 @@ clear_firewall() {
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
fi
run_clear_exit run_clear_exit
set_state "Cleared" set_state "Cleared"

22
Shorewall/Perl/prog.header
View File

@ -853,28 +853,6 @@ detect_gateway() # $1 = interface
[ -n "$gateway" ] && echo $gateway [ -n "$gateway" ] && echo $gateway
} }
#
# Disable IPV6
#
disable_ipv6() {
local foo
foo="$($IP -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -F
ip6tables -X
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
# Function to truncate a string -- It uses 'cut -b -<n>' # Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and # rather than ${v:first:last} because light-weight shells like ash and
# dash do not support that form of expansion. # dash do not support that form of expansion.

6
Shorewall/changelog.txt
View File

@ -1,4 +1,8 @@
qChanges in Shorewall 4.4.0-Beta3 Changes in Shorewall 4.4.0-Beta4
1) Delete DISABLE_IPV6.
Changes in Shorewall 4.4.0-Beta3
1) Add new macros. 1) Add new macros.

2
Shorewall/configfiles/shorewall.conf
View File

@ -137,8 +137,6 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

52
Shorewall/releasenotes.txt
View File

@ -109,28 +109,14 @@ Shorewall 4.4.0 Beta 3
As part of this change, the fallback.sh scripts are no longer As part of this change, the fallback.sh scripts are no longer
released. released.
9) The DISABLE_IPV6 option has been removed from Shorewall.conf. If
you need to control IPV6 traffic, install Shorewall6.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 3 P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 4
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Previously, if Address Type Match was not available and an 1) None.
interface on the firewall was (mis-)configured as shown below, then
REJECT policies in Shorewall-perl would drop packets addressed to
the interface rather than reject them.
3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 ...
inet 127.0.0.1/32 scope host venet0
inet 206.124.146.176/32 brd 206.124.146.176 ...
Note that a /32 should never be configured with a broadcast
address.
2) Due to a syntax ambiguity arising from the new dynamic zone
implementation, 'shorewall show dynamic' produced no output. It now
shows the contents of the dynamic blacklist as in earlier
Shorewall releases.
3) The 'findgw' script produced an error if VERBOSITY > 0.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G
@ -142,20 +128,7 @@ None.
N E W F E A T U R E S I N 4 . 4 . 0 Beta 3 N E W F E A T U R E S I N 4 . 4 . 0 Beta 3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Three new macros have been contributed by Alex Wilms. ---------------------------------------------------------------------------
macro.BGP
macro.Citrix
macro.OSPF
macro.Razor
2) The Shorewall compiler now checks for availability of the LOG
target if the configuration does any logging. This change involves
a new version of the capabilities file so users employing a
capabilties file should re-generate that file before trying to
start/restart Shorewall.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4 N E W F E A T U R E S IN 4 . 4
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -784,3 +757,16 @@ None.
26) A new extension script, 'lib.private' has been added. This file is 26) A new extension script, 'lib.private' has been added. This file is
intended to include declarations of shell functions that will be intended to include declarations of shell functions that will be
called by the other run-time extension scripts. called by the other run-time extension scripts.
27) Three new macros have been contributed by Alex Wilms.
macro.BGP
macro.Citrix
macro.OSPF
macro.Razor
28) The Shorewall compiler now checks for availability of the LOG
target if the configuration does any logging. This change involves
a new version of the capabilities file so users employing a
capabilties file should re-generate that file before trying to
start/restart Shorewall.