From 0978f3d41aff215ed41e36cddd4d105c8446c75e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 7 Jun 2010 09:16:56 -0700 Subject: [PATCH] More periodic removal of trailing white space --- Shorewall/Makefile-lite | 8 +- Shorewall/Perl/prog.footer | 6 +- Shorewall/Perl/prog.footer6 | 6 +- Shorewall/Perl/prog.header | 2 +- Shorewall/Perl/prog.header6 | 2 +- Shorewall/init.debian.sh | 8 +- Shorewall/init.slackware.firewall.sh | 2 +- Shorewall/install.sh | 8 +- Shorewall/lib.base | 4 +- Shorewall/lib.cli | 34 ++++---- Shorewall/lib.common | 12 +-- Shorewall/releasenotes.txt | 112 +++++++++++++-------------- Shorewall/shorewall | 60 +++++++------- Shorewall/shorewall.spec | 2 +- Shorewall/wait4ifup | 4 +- 15 files changed, 135 insertions(+), 135 deletions(-) diff --git a/Shorewall/Makefile-lite b/Shorewall/Makefile-lite index 74a09aedc..71d646378 100644 --- a/Shorewall/Makefile-lite +++ b/Shorewall/Makefile-lite @@ -23,10 +23,10 @@ # to the name of the remote firewall corresponding to the directory. # # To make the 'firewall' script, type "make". -# +# # Once the script is compiling correctly, you can install it by # typing "make install". -# +# ################################################################################ # V A R I A B L E S # @@ -55,7 +55,7 @@ all: firewall # # Only generate the capabilities file if it doesn't already exist # -capabilities: +capabilities: ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities" scp root@$(HOST):$(LITEDIR)/capabilities . # @@ -78,5 +78,5 @@ save: # # Remove generated files # -clean: +clean: rm -f capabilities firewall firewall.conf reload diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 2f4ff42f9..dc6003775 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -6,7 +6,7 @@ # usage() { echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]" - echo + echo echo "Options are:" echo echo " -v and -q Standard Shorewall verbosity controls" @@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do t*) g_timestamp=Yes option=${option#t} - ;; + ;; p*) g_purge=Yes option=${option#p} @@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do if [ -n "$option" ]; then case $option in - */*) + */*) startup_error "-R must specify a simple file name: $option" ;; .safe|.try|NONE) diff --git a/Shorewall/Perl/prog.footer6 b/Shorewall/Perl/prog.footer6 index 99fdd0612..57aab166d 100644 --- a/Shorewall/Perl/prog.footer6 +++ b/Shorewall/Perl/prog.footer6 @@ -6,7 +6,7 @@ # usage() { echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]" - echo + echo echo "Options are:" echo echo " -v and -q Standard Shorewall verbosity controls" @@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do t*) g_timestamp=Yes option=${option#t} - ;; + ;; p*) g_purge=Yes option=${option#p} @@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do if [ -n "$option" ]; then case $option in - */*) + */*) startup_error "-R must specify a simple file name: $option" ;; .safe|.try|NONE) diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 0de5a49ea..e09c0ce0e 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -124,7 +124,7 @@ deleteallchains() { # Generate a list of all network interfaces on the system # find_all_interfaces() { - ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//' + ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//' } # diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 63adcbe18..59749d054 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -116,7 +116,7 @@ deleteallchains() { # Generate a list of all network interfaces on the system # find_all_interfaces() { - ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//' + ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//' } # diff --git a/Shorewall/init.debian.sh b/Shorewall/init.debian.sh index d87c8bc83..dd95f9260 100755 --- a/Shorewall/init.debian.sh +++ b/Shorewall/init.debian.sh @@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall-init.log} test -x $SRWL || exit 0 test -x $WAIT_FOR_IFUP || exit 0 test -n "$INITLOG" || { - echo "INITLOG cannot be empty, please configure $0" ; + echo "INITLOG cannot be empty, please configure $0" ; exit 1; } @@ -32,9 +32,9 @@ fi echo_notdone () { - if [ "$INITLOG" = "/dev/null" ] ; then + if [ "$INITLOG" = "/dev/null" ] ; then echo "not done." - else + else echo "not done (check $INITLOG)." fi @@ -71,7 +71,7 @@ fi export SHOREWALL_INIT_SCRIPT -# wait for an unconfigured interface +# wait for an unconfigured interface wait_for_pppd () { if [ "$wait_interface" != "" ] then diff --git a/Shorewall/init.slackware.firewall.sh b/Shorewall/init.slackware.firewall.sh index d5894f4f8..2c2fb4c6a 100755 --- a/Shorewall/init.slackware.firewall.sh +++ b/Shorewall/init.slackware.firewall.sh @@ -45,7 +45,7 @@ status() { export SHOREWALL_INIT_SCRIPT=1 -case $1 in +case $1 in 'start') start ;; diff --git a/Shorewall/install.sh b/Shorewall/install.sh index dcfc77ae1..993f11dd0 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -133,7 +133,7 @@ case $(uname) in MAC=Yes INSTALLD= T= - ;; + ;; *) [ -z "$OWNER" ] && OWNER=root [ -z "$GROUP" ] && GROUP=root @@ -178,7 +178,7 @@ if [ -n "$DESTDIR" ]; then install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST} - + CYGWIN= MAC= else @@ -194,7 +194,7 @@ else if [ -n "$CYGWIN" ]; then echo "Installing Cygwin-specific configuration..." elif [ -n "$MAC" ]; then - echo "Installing Mac-specific configuration..." + echo "Installing Mac-specific configuration..." else if [ -f /etc/debian_version ]; then echo "Installing Debian-specific configuration..." @@ -270,7 +270,7 @@ if [ -n "$DESTDIR" ]; then mkdir -p ${DESTDIR}/etc/logrotate.d chmod 755 ${DESTDIR}/etc/logrotate.d fi - + # # Install the config file # diff --git a/Shorewall/lib.base b/Shorewall/lib.base index bd9d3d9cf..b2d28342c 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -185,7 +185,7 @@ valid_address() { ;; esac done - + IFS=$ifs return 0 @@ -381,7 +381,7 @@ find_echo() { result=$(which echo) [ -n "$result" ] && { echo "$result -e"; return; } - echo echo + echo echo } # Determine which version of mktemp is present (if any) and set MKTEMP accortingly: diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index e439941ce..a0e803f65 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -166,7 +166,7 @@ search_log() # $1 = IP address to search for else $g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ fi -} +} # # Show traffic control information @@ -298,7 +298,7 @@ do_save() { status=1 fi - case ${SAVE_IPSETS:=No} in + case ${SAVE_IPSETS:=No} in [Yy]es) case ${IPSET:=ipset} in */*) @@ -345,7 +345,7 @@ save_config() { local result result=1 - + iptables_save=${IPTABLES}-save [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 @@ -495,7 +495,7 @@ show_command() { fatal_error "Invalid table name ($s)" ;; esac - + option= shift ;; @@ -713,7 +713,7 @@ show_command() { ;; esac fi - + if [ $# -gt 0 ]; then if [ $1 = dynamic -a $# -gt 1 ]; then @@ -729,7 +729,7 @@ show_command() { exit 1 fi done - + echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)" echo show_reset @@ -800,7 +800,7 @@ dump_command() { clear_term echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)" echo - + show_reset host=$(echo $g_hostname | sed 's/\..*$//') $IPTABLES -L $g_ipt_options @@ -844,7 +844,7 @@ dump_command() { heading "PFKEY SPD" setkey -DP heading "PFKEY SAD" - setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys + setkey -D | grep -Ev '^[[:space:]](A:|E:)' # Don't divulge the keys fi heading "/proc" @@ -1183,7 +1183,7 @@ add_command() { if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fi - + host=${host#*:} if $IPSET -A $ipset $host; then @@ -1192,7 +1192,7 @@ add_command() { fatal_error "Unable to add $interface:$host to zone $zone" fi done - + } # @@ -1242,7 +1242,7 @@ delete_command() { if ! qt $IPSET -L $ipset -n; then fatal_error "Zone $zone, interface $interface is does not have a dynamic host list" fi - + host=${hostent#*:} if $IPSET -D $ipset $host; then @@ -1251,7 +1251,7 @@ delete_command() { echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 fi done - + } # @@ -1403,9 +1403,9 @@ logwatch_command() { case $option in -*) option=${option#-} - + [ -z "$option" ] && usage 1 - + while [ -n "$option" ]; do case $option in v*) @@ -1436,7 +1436,7 @@ logwatch_command() { ;; esac done - + [ -n "$g_debugging" ] && set -x if [ $# -eq 1 ]; then @@ -1634,7 +1634,7 @@ determine_capabilities() { if [ -z "$HASHLIMIT_MATCH" ]; then qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes HASHLIMIT_MATCH=$OLD_HL_MATCH - fi + fi qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes @@ -1779,7 +1779,7 @@ report_capabilities1() { report_capability1 PERSISTENT_SNAT report_capability1 TPROXY_TARGET report_capability1 FLOW_FILTER - + echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION } diff --git a/Shorewall/lib.common b/Shorewall/lib.common index 952d74abd..86f4f5799 100644 --- a/Shorewall/lib.common +++ b/Shorewall/lib.common @@ -45,17 +45,17 @@ get_script_version() { # $1 = script temp=$(echo $temp) IFS=$ifs digits=0 - + for temp in $temp; do version=${version}$(printf '%02d' $temp) digits=$(($digits + 1)) [ $digits -eq 3 ] && break done fi - + echo $version } - + # # Do required exports or create the required option string and run the passed script using # $SHOREWALL_SHELL @@ -66,7 +66,7 @@ run_it() { local version export VARDIR - + script=$1 shift @@ -82,7 +82,7 @@ run_it() { export PURGE=$g_purge export TIMESTAMP=$g_timestamp export RECOVERING=$g_recovering - + if [ "$g_product" != Shorewall ]; then # # Shorewall Lite @@ -105,7 +105,7 @@ run_it() { [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE" fi - + $SHOREWALL_SHELL $script $options $@ } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 37c53f716..51353d111 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -7,7 +7,7 @@ II. MIGRATION ISSUES III. PROBLEMS CORRECTED IN THIS RELEASE IV. KNOWN PROBLEMS REMAINING V. NEW FEATURES IN THIS RELEASE -VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES +VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- I. R E L E A S E 4 . 4 H I G H L I G H T S @@ -56,7 +56,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 11) Support for netfilter's TRACE facility has been added. TRACE allows you to trace selected packets through Netfilter, including marking - by tcrules. + by tcrules. 12) You may now preview the generated ruleset by using the '-r' option to the 'check' command (e.g., "shorewall check -r"). @@ -155,7 +155,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 8) The install.sh scripts in the Shorewall and Shorewall6 packages no longer create a backup copy of the existing configuration. If you want your configuration backed up prior to upgrading, you will - need to do that yourself. + need to do that yourself. As part of this change, the fallback.sh scripts are no longer released. @@ -182,7 +182,7 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES explicitly call the module's 'initialize' function after the module has been loaded. -12) Checking for zone membership has been tighened up. Previously, +12) Checking for zone membership has been tighened up. Previously, a zone could contain :0.0.0.0/0 along with other hosts; now, if the zone has :0.0.0.0/0 (even with exclusions), then it may have no additional members in /etc/shorewall/hosts. @@ -208,12 +208,12 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES iface_ADDRESSES SW_iface_ADDRESSES iface_NETWORKS SW_iface_NETWORKS iface_MAC SW_iface_MAC - + provider_IS_USABLE SW_provider_IS_USABLE where 'iface' is a capitalized interface name (e.g., ETH0) and 'provider' is the capitalized name of a provider. - + ---------------------------------------------------------------------------- I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- @@ -231,7 +231,7 @@ None. ---------------------------------------------------------------------------- 1) Beginning with this release, UPnP state and the dynamic blacklist - are preserved across 'restart'. + are preserved across 'restart'. ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S @@ -256,7 +256,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 3) Under rare circumstances involving a complex configuration, OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore - input to be generated. + input to be generated. Sample error message: @@ -324,7 +324,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S b) be sure that your current firewall script(s) (normally in /var/lib//firewall) is(are) compiled with the 4.4.10 - compiler. + compiler. Shorewall and Shorewall6 users can execute these commands: @@ -361,8 +361,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S On Debian-based systems, set startup=0 in /etc/default/. On other systems, use your service startup configuration tool - (chkconfig, insserv, ...) to disable startup. - + (chkconfig, insserv, ...) to disable startup. + The following actions occur when an interface comes up: FIREWALL INTERFACE ACTION @@ -423,7 +423,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S shorewall-lite: 4.4.10-RC1 shorewall6-lite: 4.4.10-RC1 shorewall-init: 4.4.10-RC1 - gateway:~# + gateway:~# ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 9 @@ -498,7 +498,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS PROTO PORT - tun0 192.168.1.0/24 + tun0 192.168.1.0/24 Use of tunN in the nat and netmap files also produced invalid iptables-restore input. @@ -540,7 +540,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I - Inserted a rule into a chain. T - Shell source text appended/inserted into a chain -- converted into rules at run-time. - D - Deleted Rule from a chain; note that this causes the + D - Deleted Rule from a chain; note that this causes the following rules to be renumbered. X - Deleted a chain P - Change a built-in chains policy. Chains in the filter table @@ -555,7 +555,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S Netfilter trace records indicate the table and chain being changed. If the change involves a particular rule, then the rule - number is also included. + number is also included. Example (append the first rule to the filter FORWARD chain): @@ -585,7 +585,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS dummy br0 - routeback - + /etc/shorewall/policy: #SOURCE DEST POLICY dummy all DROP @@ -611,7 +611,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S P R O B L E M S C O R R E C T E D I N 4 . 4 . 9 ---------------------------------------------------------------------------- -1) A CONTINUE rule specifying a log level would cause the compiler to +1) A CONTINUE rule specifying a log level would cause the compiler to generate an incorrect rule sequence. The packet would be logged but the CONTINUE action would not occur. @@ -643,7 +643,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 1/2 of the values given in the rule. 5) Detection of the 'Old hashlimit match' capability was broken in - /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of + /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of shorecap. 6) On older distributions such as RHEL5 and derivatives, Shorewall @@ -651,7 +651,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S /etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been specified in /etc/shorewall/shorewall.conf. -7) The Debian init scripts are modified to include $remote_fs in the +7) The Debian init scripts are modified to include $remote_fs in the Required-start and Required-stop specifications. 8) Previously, when a supported command failed, the Debian Shorewall @@ -715,7 +715,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S VERBOSE VERBOSE_OFFSET VERSION - + See Migration Issue 14 above for additional information. 2) The Shorewall and Shorewall6 installers now accept a '-s' (sparse) @@ -739,7 +739,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S Resulting error message - ERROR: The separator for a port range is ':', not '-' (21-22) : + ERROR: The separator for a port range is ':', not '-' (21-22) : /etc/shorewall/rules (line 3) 5) Support has been added for UDPLITE (proto 136) in that DEST PORT(S) @@ -750,7 +750,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 'status' command now gives the detailed status as 'Restored from ' rather than 'Started'; is the saved script used to restore the configuration. - + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 ---------------------------------------------------------------------------- @@ -759,7 +759,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S installer and are included in the rpm. 2) An invalid octal number (e.g., 080) appearing in a port list - resulted in a perl error message. + resulted in a perl error message. As part of this fix, both hex and octal numbers are now accepted for protocol and port numbers. @@ -824,7 +824,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S f) If a chain ends with an unconditional branch to a second chain (other than to 'reject'), then the branch is deleted from the first chain and the rules from the second chain are appended - to it. + to it. The following chains are exempted from optimization 4: @@ -881,7 +881,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol helpers. These cannot be autoloaded. - + In addition, the nf_conntrack_sip module is loaded with sip_direct_media=0. This setting is slightly less secure than sip_direct_media=1, but it solves many VOIP problems that users @@ -914,7 +914,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S the setting of net.ipv4.config.all.rp_filter. Beginning with kernel 2.6.31, the value is the arithmetic MAX of - those two values. + those two values. Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if there are any interfaces specifying 'routefilter', specifying @@ -946,7 +946,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S Keep - Shorewall does not change the setting of net.ipv4.config.all.rp_filter if the kernel version is 2.6.31 or later. - + The default remains Keep. e) The 'routefilter' interface option can have values 0,1 or 2. If @@ -1021,7 +1021,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 2) If any interfaces had the 'bridge' option specified, compilation failed with the error: - Undefined subroutine &Shorewall::Rules::match_source_interface called + Undefined subroutine &Shorewall::Rules::match_source_interface called at /usr/share/shorewall/Shorewall/Rules.pm line 2319. 3) The compiler now flags port number 0 as an error in all @@ -1049,7 +1049,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 9) The 'reload -c' command would ignore the setting of DONT_LOAD in shorewall.conf. The 'reload' command without '-c' worked as - expected. + expected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 5 @@ -1135,7 +1135,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S /etc/shorewall/zones: - #ZONE TYPE + #ZONE TYPE fw firewall world ipv4 z1:world bport4 @@ -1268,7 +1268,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S STARTUP_LOG=/var/log/shorewall-init.log LOG_VERBOSITY=2 - The effect is much the same as the old defaults, with the exception + The effect is much the same as the old defaults, with the exception that: a) Start, stop, etc. commands issued through /sbin/shorewall @@ -1276,7 +1276,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S b) Logging will occur at maximum verbosity. c) Log entries will be date/time stamped. - On non-Debian systems, new installs will now log all Shorewall + On non-Debian systems, new installs will now log all Shorewall commands to /var/log/shorewall-init.log. 2) A new TRACK_PROVIDERS option has been added in shorewall.conf. @@ -1294,9 +1294,9 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 ---------------------------------------------------------------------------- -1) Detection of Persistent SNAT was broken in the rules compiler. +1) Detection of Persistent SNAT was broken in the rules compiler. -2) Initialization of the compiler's chain table was occurring before +2) Initialization of the compiler's chain table was occurring before shorewall.conf had been read and before the capabilities had been determined. This could lead to incorrect rules and Perl runtime errors. @@ -1348,14 +1348,14 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S N E W F E A T U R E S I N 4 . 4 . 2 ---------------------------------------------------------------------------- -1) Prior to this release, line continuation has taken precedence over +1) Prior to this release, line continuation has taken precedence over #-style comments. This prevented us from doing the following: ACCEPT net:206.124.146.176,\ #Gateway 206.124.146.177,\ #Mail 206.124.146.178\ #Server ... - + Now, unless a line ends with '\', any trailing comment is stripped off (including any white-space preceding the '#'). Then if the line ends with '\', it is treated as a continuation line as normal. @@ -1407,7 +1407,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 7) MULTICAST=Yes generates an incorrect rule that limits its effectiveness to a small part of the multicast address space. -8) Checking for zone membership has been tighened up. Previously, +8) Checking for zone membership has been tighened up. Previously, a zone could contain :0.0.0.0/0 along with other hosts; now, if the zone has :0.0.0.0/0 (even with exclusions), then it may have no additional members in /etc/shorewall/hosts. @@ -1431,7 +1431,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent This feature requires Persistent SNAT support in your kernel and - iptables. + iptables. If you use a capabilities file, you will need to create a new one as a result of this feature. @@ -1444,7 +1444,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S iptables when asked. 2) A 'clean' target has been added to the Makefiles. It removes backup - files (*~ and .*~). + files (*~ and .*~). 3) The meaning of 'full' has been redefined when used in the context of a traffic shaping sub-class. Previously, 'full' always meant the @@ -1580,7 +1580,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S As always, /var/lib/shorewall[6] is the default directory which may be overridden using the /etc/shorewall[6]/vardir file. -5) Dynamic zone support is once again available for IPv4. This support +5) Dynamic zone support is once again available for IPv4. This support is built on top of ipsets so you must have the xtables-addons installed on the firewall system. @@ -1598,7 +1598,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S - By specifying :dynamic in the HOST(S) column of an entry for the zone in /etc/shorewall/hosts. - When there are any dynamic zones present in your configuration, + When there are any dynamic zones present in your configuration, Shorewall (Shorewall-lite) will: a) Execute the following commands during 'shorewall start' or @@ -1607,7 +1607,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S ipset -U :all: :all: ipset -U :all: :default: ipset -F - ipset -X + ipset -X ipset -R < ${VARDIR}/ipsets.save where $VARDIR normally contains /var/lib/shorewall @@ -1700,7 +1700,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S gateway:~ # shorewall restart Restarting Shorewall.... done. - gateway:~ # + gateway:~ # In other words, you can compile the current configuration then install it at a later time. @@ -1750,8 +1750,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S This previously generated these two rules (long rules folded): -A loc2net -p 6 --dport 25 -j LOG --log-level 6 - --log-prefix "Shorewall:loc2net:reject:" - -A loc2net -p 6 --dport 25 -j reject + --log-prefix "Shorewall:loc2net:reject:" + -A loc2net -p 6 --dport 25 -j reject It now generates these rules: @@ -1760,8 +1760,8 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S -A loc2net -p 6 --dport 25 -g log0 ... -A log0 -j LOG --log-level 6 - --log-prefix "Shorewall:loc2net:REJECT:" - -A log0 -j reject + --log-prefix "Shorewall:loc2net:REJECT:" + -A log0 -j reject Notice that now there is only a single rule generated in the 'loc2net' chain where before there were two. Packets for other than @@ -1861,7 +1861,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S It is important to realize that, while class IDs are composed of a and a value, the set of values must be unique. You must keep this in mind when deciding how to map IP - addresses to class IDs. + addresses to class IDs. For example, suppose that your internal network is 192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion @@ -1974,7 +1974,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 1:100 - 16mbit 20mbit 2 1:100:101 - 8mbit 20mbit 3 default 1:100:102 - 8mbit 20mbit 3 - + /etc/shorewall/tcrules #MARK SOURCE DEST @@ -1990,7 +1990,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S Local traffic (that coming from the firewall and from the DMZ server) is placed in the effectively unrestricted class 1:10. The default class is guaranteed half of the download capacity and my - work system (172.20.1.107) is guarandeed the other half. + work system (172.20.1.107) is guarandeed the other half. 19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing discipline has been added. HFSC is claimed to be superior to the @@ -2018,7 +2018,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S in the class should experience. The delay is expressed in milliseconds and may be followed by 'ms' (e.g., 10ms. Note that there may be no white space between the - number and 'ms'). + number and 'ms'). 3. The maximum transmission unit (UMAX) for this class of traffic. If not specified, the MTU of the interface is used. The length is specified in bytes and may be @@ -2101,7 +2101,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S 25) A new extension script, 'lib.private' has been added. This file is intended to include declarations of shell functions that will be - called by the other run-time extension scripts. + called by the other run-time extension scripts. 26) Paul Gear has contributed the following macros: @@ -2178,7 +2178,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S If flow is not supported, you will see: Unknown filter "flow", hence option "help" is unparsable - + If your kernel supports module autoloading, just type (as root): modprobe cls_flow @@ -2187,7 +2187,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S see: FATAL: Module cls_flow not found. - + If your kernel is not modularized or does not support module autoloading, look at your kernel configuration (either /proc/config.gz or the .config file in @@ -2195,7 +2195,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S If 'flow' is supported, you will see: - NET_CLS_FLOW=m + NET_CLS_FLOW=m or @@ -2203,4 +2203,4 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S For modularized kernels, Shorewall will attempt to load /lib/modules//net/sched/cls_flow.ko by default. - + diff --git a/Shorewall/shorewall b/Shorewall/shorewall index 34d18ead0..8c642dc40 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -32,7 +32,7 @@ # $1 = Yes: read the params file # $2 = Yes: check for STARTUP_ENABLED # $3 = Yes: Check for LOGFILE -# +# get_config() { local prog @@ -47,7 +47,7 @@ get_config() { fi config=$(find_file shorewall.conf) - + if [ -f $config ]; then if [ -r $config ]; then . $config @@ -61,7 +61,7 @@ get_config() { fi ensure_config_path - + if [ -z "$g_export" -a "$(id -u)" = 0 ]; then # # This block is avoided for compile for export and when the user isn't root @@ -109,7 +109,7 @@ get_config() { IP=$prog ;; esac - else + else IP='ip' fi @@ -130,7 +130,7 @@ get_config() { IPSET=$prog ;; esac - else + else IPSET='ipset' fi @@ -151,7 +151,7 @@ get_config() { TC=$prog ;; esac - else + else TC='tc' fi # @@ -196,7 +196,7 @@ get_config() { ;; esac - [ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' + [ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' [ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" @@ -222,7 +222,7 @@ get_config() { else STARTUP_LOG= LOG_VERBOSITY=-1 - fi + fi if [ -n "$SHOREWALL_SHELL" ]; then if [ ! -x "$SHOREWALL_SHELL" ]; then @@ -313,7 +313,7 @@ startup_error() { # Run the compiler # compiler() { - + if [ $(id -u) -ne 0 ]; then if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then startup_error "Ordinary users may not compile the /etc/shorewall configuration" @@ -338,10 +338,10 @@ compiler() { [ -n "$g_profile" ] && debugflags='-wd:DProf' # Perl compiler only takes the output file as a argument - + [ "$1" = debug -o "$1" = trace ] && shift; [ "$1" = nolock ] && shift; - shift + shift options="--verbose=$VERBOSITY" [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG" @@ -356,7 +356,7 @@ compiler() { # # Run the appropriate params file # - set -a; + set -a; run_user_exit params set +a @@ -537,7 +537,7 @@ compile_command() { t*) g_test=Yes option=${option#t} - ;; + ;; d*) g_debug=Yes; option=${option#d} @@ -755,7 +755,7 @@ restart_command() { fi fi - if [ -z "$g_fast" ]; then + if [ -z "$g_fast" ]; then progress_message3 "Compiling..." if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then @@ -774,7 +774,7 @@ restart_command() { rc=$? [ -n "$nolock" ] || mutex_off fi - + return $rc } @@ -958,7 +958,7 @@ safe_commands() { else ${VARDIR}/.$command clear fi - + [ -n "$nolock" ] || mutex_off echo "New configuration has been rejected and the old one restored" @@ -989,7 +989,7 @@ try_command() { echo "Directory $1 does not exist" >&2 && exit 2 fi fi - + SHOREWALL_DIR=$(resolve_file $1) } @@ -1032,7 +1032,7 @@ try_command() { 2) handle_directory $1 timeout=$2 - case $timeout in + case $timeout in *[!0-9]*) echo " ERROR: Invalid timeout ($timeout)" >&2; exit 1 @@ -1084,12 +1084,12 @@ try_command() { if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then sleep $timeout - + if [ "$command" = "restart" ]; then ${VARDIR}/.try restore else ${VARDIR}/.$command clear - fi + fi fi [ -n "$nolock" ] || mutex_off @@ -1106,7 +1106,7 @@ rsh_command() { rcp_command() { files="$1" destination=$2 - + eval $RCP_COMMAND } @@ -1247,12 +1247,12 @@ reload_command() # $* = original arguments less the command. export_command() # $* = original arguments less the command. { local verbose - verbose=$(make_verbose) + verbose=$(make_verbose) local file - file= + file= local finished - finished=0 - local directory + finished=0 + local directory local target while [ $finished -eq 0 -a $# -gt 0 ]; do @@ -1455,7 +1455,7 @@ while [ $finished -eq 0 ]; do ;; v*) option=${option#v} - case $option in + case $option in -1*) g_use_verbosity=-1 option=${option#-1} @@ -1542,7 +1542,7 @@ version_command() { [ $# -gt 0 ] && usage 1 echo $SHOREWALL_VERSION - + if [ -n "$all" ]; then for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do if [ -f /usr/share/$product/version ]; then @@ -1570,7 +1570,7 @@ g_timestamp= [ -n "${VARDIR:=/var/lib/shorewall}" ] if [ ! -f ${VARDIR}/firewall ]; then - [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall + [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall fi g_firewall=${VARDIR}/firewall @@ -1920,7 +1920,7 @@ case "$COMMAND" in else fatal_error "Shorewall is not started" fi - ;; + ;; noiptrace) get_config shift @@ -1930,7 +1930,7 @@ case "$COMMAND" in else fatal_error "Shorewall is not started" fi - ;; + ;; *) usage 1 ;; diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index ccd44f1b8..e41238e04 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -105,7 +105,7 @@ fi %attr(0644,root,root) %{_mandir}/man5/* %attr(0644,root,root) %{_mandir}/man8/* -%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples +%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog * Sun Jun 06 2010 Tom Eastep tom@shorewall.net diff --git a/Shorewall/wait4ifup b/Shorewall/wait4ifup index 6e11110dd..400c42036 100755 --- a/Shorewall/wait4ifup +++ b/Shorewall/wait4ifup @@ -33,7 +33,7 @@ # interface_is_up() { - [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] + [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] } case $# in @@ -57,4 +57,4 @@ done exit 1 - +