From 2246e54d28b8c5e9bda50d80369ee19526d24504 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 19 Oct 2007 19:43:14 +0000 Subject: [PATCH] Bring trunk up to date with 4.0 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/README.txt | 2 +- Shorewall-common/changelog.txt | 34 ++ Shorewall-common/fallback.sh | 2 +- Shorewall-common/firewall | 4 +- Shorewall-common/install.sh | 2 +- Shorewall-common/lib.cli | 1 + Shorewall-common/releasenotes.txt | 494 ++++++++++++++------- Shorewall-common/shorewall | 28 +- Shorewall-common/shorewall-common.spec | 4 +- Shorewall-common/shorewall.conf | 2 + Shorewall-common/uninstall.sh | 2 +- Shorewall-lite/README.txt | 2 +- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite | 2 +- Shorewall-lite/shorewall-lite.spec | 4 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall-perl/README.txt | 2 +- Shorewall-perl/Shorewall/Accounting.pm | 2 +- Shorewall-perl/Shorewall/Actions.pm | 2 +- Shorewall-perl/Shorewall/Chains.pm | 317 +++++++++---- Shorewall-perl/Shorewall/Compiler.pm | 7 +- Shorewall-perl/Shorewall/Config.pm | 16 +- Shorewall-perl/Shorewall/FallbackPorts.pm | 518 ---------------------- Shorewall-perl/Shorewall/IPAddrs.pm | 10 +- Shorewall-perl/Shorewall/Nat.pm | 2 +- Shorewall-perl/Shorewall/Policy.pm | 10 +- Shorewall-perl/Shorewall/Proc.pm | 21 +- Shorewall-perl/Shorewall/Providers.pm | 2 +- Shorewall-perl/Shorewall/Proxyarp.pm | 2 +- Shorewall-perl/Shorewall/Rules.pm | 63 ++- Shorewall-perl/Shorewall/Tc.pm | 15 +- Shorewall-perl/Shorewall/Tunnels.pm | 2 +- Shorewall-perl/Shorewall/Zones.pm | 3 +- Shorewall-perl/buildports.pl | 165 ------- Shorewall-perl/install.sh | 21 +- Shorewall-perl/prog.footer | 11 +- Shorewall-perl/prog.functions | 92 +++- Shorewall-perl/shorewall-perl.spec | 14 +- Shorewall-shell/README.txt | 2 +- Shorewall-shell/compiler | 5 +- Shorewall-shell/install.sh | 2 +- Shorewall-shell/shorewall-shell.spec | 4 +- 43 files changed, 824 insertions(+), 1075 deletions(-) delete mode 100644 Shorewall-perl/Shorewall/FallbackPorts.pm delete mode 100755 Shorewall-perl/buildports.pl diff --git a/Shorewall-common/README.txt b/Shorewall-common/README.txt index 7d77ae85a..cf2cb4fbc 100644 --- a/Shorewall-common/README.txt +++ b/Shorewall-common/README.txt @@ -1 +1 @@ -This is the Shorewall-common Development 4.0 branch of SVN. +This is the Shorewall-common Stable 4.0 branch of SVN. diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 876664447..c87c2def9 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,33 @@ +Changes in 4.0.5 + +1) Delete 'detectnets' from Shorewall-perl + +2) Use get_config() for processing secondary shorewall.conf + +3) Add 'broadcast' and 'destonly' options to hosts file. + +4) Allow "$FW::" in the DEST column of a redirect rule" + +5) Add MULTICAST option in shorewall.conf. + +6) Allow port range for server port in NAT rules. + +7) Validate server IP address and port(-range) in NAT rules. + +8) Allow server port(s) to be specified as service names. + +9) Split large DEST PORT(S) lists. + +10) Fix TCP/UDP in rules file. + +10) Add new semantics to 'debug' with Shorewall-perl + +11) Satisfy the distros. + +12) Change module versions to V-strings. + +13) Fix ipsets. + Changes in 4.0.4 1) Fix 'refresh' with light-weight shells. @@ -37,6 +67,10 @@ Changes in 4.0.4 18) Fix off-by-one bug in Tc.pm +19) Correct problems found in pre-testing. + +20) Fix REDIRECT with Macros. + Changes in 4.0.3 1) Streamline the checking for builtin chains in the accounting file. diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index f340c26e0..7eeea7367 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { diff --git a/Shorewall-common/firewall b/Shorewall-common/firewall index 34de2f448..078c1e0f6 100755 --- a/Shorewall-common/firewall +++ b/Shorewall-common/firewall @@ -477,9 +477,9 @@ usage() { # E X E C U T I O N B E G I N S H E R E # # -# Start trace if first arg is "debug" +# Start trace if first arg is "debug" or "trace" # -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } +[ $# -gt 1 ] && [ "x$1" = xdebug -o "$x$1" = xtrace ] && { set -x ; shift ; } NOLOCK= diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 62005fb02..91ef673c8 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli index 697abfd97..879eadc7f 100644 --- a/Shorewall-common/lib.cli +++ b/Shorewall-common/lib.cli @@ -306,6 +306,7 @@ save_config() { echo "__EOF__" >> $f echo >> $f echo "ipset -U :all: :all:" >> $f + echo "ipset -U :all: :default:" >> $f echo "ipset -F" >> $f echo "ipset -X" >> $f echo "ipset -R << __EOF__" >> $f diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 1fba2f653..dd5c05019 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,7 +1,4 @@ -Shorewall 4.0 Patch release 4 - -WARNING: Suppport for the 'detectnets' option will be removed from -Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below. +Shorewall 4.0 Patch release 5 ---------------------------------------------------------------------------- R E L E A S E 4 . 0 H I G H L I G H T S @@ -29,142 +26,198 @@ Shorewall-perl in Shorewall 4.0 Patch release 5. See 'Other changes' below. Shorewall-perl compiler. This support utilizes the reduced-function physdev match support available in Linux kernel 2.6.20 and later. -Problems Corrected in Shorewall 4.0.4 +Problems corrected in Shorewall 4.0.5. -1) If no interface had the 'blacklist' option, then when using - Shorewall-perl, the 'start' and 'restart' command fail: +1) Previously, Shorewall-perl misprocessed $FW:: in the DEST + column of a REDIRECT rule, generating an error. '$FW::' now + produces the same effect as ''. - ERROR: No filter chain found with name blacklst +2) If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE + PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected + the entry with the error: - New Shorewall-perl 4.0.3 packages were released that corrected this - problem; it is included here for completeness. + ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules -2) If no interface had the 'blacklist' option, then when using - Shorewall-perl, the generated script would issue this harmless - message during 'shorewall refresh': + The rule was accepted if 'tcp' or 'udp' was used instead. - chainlist_reload: Not found +3) Shorewall-shell now removes any default bindings of ipsets before + attempting to reload them. Previously, default bindings were not + removed with the result that the ipsets could not be destroyed. -3) If /bin/sh was a light-weight shell such as ash or dash, then - 'shorewall refresh' failed. +Other changes in Shorewall 4.0.5. -4) During start/restart, the script generated by Shorewall-perl is - clearing the proxy_arp flag on all interfaces; that is not the - documented behavior. +1) Two new options have been added to /etc/shorewall/hosts + (Shorewall-perl only). -5) If the module-init-tools package was not installed and - /etc/shorewall/modules did not exist or was non-empty, then - Shorewall-perl would fail with the message: + broadcast: Permits limited broadcast (destination 255.255.255.255) + to the zone. - ERROR: Can't run lsmod : /etc/shorewall/modules (line 0) - -6) Shorewall-perl now makes a compile-time check to insure that - iptables-restore exists and is executable. This check is made when - the compiler is being run by root and the -e option is not - given. - - Note that iptables-restore must reside in the same directory as the - iptables executable specified by IPTABLES in shorewall.conf or - located by the PATH in the event that IPTABLES is not specified. - -7) When using Shorewall-perl, if an action was invoked with more than - 10 different combinations of log-levels/tags, some of those - invocations with have incorrect logging. - -8) Previously, when 'shorewall restore' was executed, the - iptables-restore utility was always located using the PATH setting - rather than the IPTABLES setting. - - With Shorewall-perl, the IPTABLES setting is now used to locate - this utility during 'restore' as it is during the processing of - other commands. - -9) Although the shorewall.conf manpage indicates that the value - 'internal' is allowed for TC_ENABLED, that value was previously - rejected ('Internal' was accepted). - -10) The meaning of the 'loose' provider option was accidentally reversed - in Shorewall-perl. Rather than causing certain routing rules to be - omitted when specified, it actually caused them to be added (these - rules were omitted when the option was NOT specified). - -11) If the 'bridge' option was specified on an interface but there were - no bport zones, then traffic originating on the firewall was not - passed through the accounting chain. - -12) In commands such as: - - shorewall compile - shorewall restart - shorewall check - - if the name of the contained a period ("."), then - Shorewall-perl would incorrectly substitute the current working - directory for the name. - -13) Previously, if the following sequence of routing rules was - specified, then the first rule would always be omitted. - - #SOURCE DEST PROVIDER PRIORITY - $SRC_A $DESTIP1 ISP1 1000 - $SRC_A $DESTIP2 SOMEISP 1000 - $SRC_A - ISP2 1000 - - The reason for this omission was that Shorewall uses a - delete-before-add approach and attempting to delete the third rule - resulted in the deletion of the first one instead. - - This problem occurred with both compilers. - -14) When using Shorewall-shell, provider numbers were not recognized in - the PROVIDER column of /etc/shorewall/route_rules. - -15) An off-by-one problem in Shorewall-perl caused the value 255 to be - rejected in the MARK column of /etc/shorewall/tcclasses. - -Other Changes in Shorewall 4.0.4 - -1) The detection of 'Repeat Match' has been improved. 'Repeat Match' - is not a match at all but rather is a feature of recent versions of - iptables that allows a particular match to be used multiple times - within a single rule. + destonly: Normally used with the Multi-cast range. Specifies that + traffic will be sent to the specified net(s) but that + no traffic will be received from the net(s). Example: - -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ... + wifi eth1:192.168.3.0/24 broadcast + wifi eth1:224.0.0.0/4 destonly - When using Shorewall-shell, the availability of 'Repeat Match' can - speed up compilation very slightly. + In that example, limited broadcasts from the firewall with a source + IP in the 192.168.3.0/24 range will be acccepted as will multicasts + (with any source address). -2) Apparently recent Fedora releases are broken. The - following sequence of commands demonstrates the problem: +2) A MULTICAST option has been added to shorewall.conf. This option + will normally be set to 'No' (the default). It should be set to + 'Yes' under the following circumstances: - ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5 - ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main - ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000 + a) You have an interface that has parallel zones defined via + /etc/shorewall/hosts. + b) You want to forward multicast packets to two or more of those + parallel zones. - The third command should fail but doesn't; instead, it incorrectly - removes the rule added by the first command. + In such cases, you will configure a 'destonly' network on each + zone receiving multicasts. - To work around this issue, you can set DELETE_THEN_ADD=No in - shorewall.conf which prevents Shorewall from deleting ip rules - before attempting to add a similar rule. + The MULTICAST option is only recognized by Shorewall-perl and is + ignored by Shorewall-shell. -3) When using Shorewall-perl, the following message is now issued if - the 'detectnets' option is specified in /etc/shorewall/interfaces: - - WARNING: Support for the 'detectnets' option will be removed from - Shorewall-perl in version 4.0.5; better to use 'routefilter' and 'logmartians - - The 'detect' options has always been rather silly. On input, it - duplicates the function of 'routefilter'. On output, it is a no-op - since traffic that doesn't match a route out of an interface won't - be sent through that interface (duh!). - - Beginning with Shorewall 4.0.5, the warning message will read: +3) As announced in the Shorewall 4.0.4 release notes, Shorewall-perl + no longer supports the 'detectnets' option. Specifying that option + now results in the following message: WARNING: Support for the 'detectnets' option has been removed + It is suggested that 'detectnets' be replaced by + 'routefilter,logmartians'. That will produce the same filtering + effect as 'detectnets' while eliminating 1-2 rules per connection. + + One user has asked how to retain the output of 'shorewall show + zones' if the 'detectnets' option is removed. While I don't advise + doing so, you can reproduce the current 'shorewall show' behavior + as follows. + + Suppose that you have a zone named 'wifi' that produces the + following output with 'detectnets': + + wifi (ipv4) + eth1:192.168.3.0/24 + + You can reproduce this behavior as follows: + + /etc/shorewall/interfaces: + + - eth1 detect ... + + /etc/shorewall/hosts: + + wifi eth1:192.168.3.0/24 broadcast + + If you send multicast to the 'wifi' zone, you also need this entry + in your hosts file: + + wifi eth1:224.0.0.0/4 destonly + +4) (Shorewall-perl only) The server port in a DNAT or REDIRECT rule + may now be specified as a service name from + /etc/services. Additionally: + + a) A port-range may be specified as the service port expressed in + the format -. Connections are assigned to + server ports in round-robin fashion. + + b) The compiler only permits a server port to be specified if the + protocol is tcp or udp. + + c) The compiler ensures that the server IP address is valid (note + that it is still not permitted to specify the server address as a + DNS name). + +5) (Shorewall-perl only) Users are complaining that when they migrate + to Shorewall-perl, they have to restrict their port lists to 15 + ports. In this release, we relax that restriction on destination + port lists. Since the SOURCE PORT(s) column in the configuration + files is rarely used, we have no plans to relax the restriction in + that column. + +6) There have been several cases where iptables-restore has failed + while executing a COMMIT command in the .iptables_restore_input + file. This gives neither the user nor Shorewall support much to go + on when analyzing the problem. As a new debugging aid, the meaning + of 'trace' and 'debug' have been changed. + + Traditionally, /sbin/shorewall and /sbin/shorewall-lite have + allowed either 'trace' or 'debug' as the first run-line + parameter. Prior to 4.0.5, the two words produced the same effect. + + Beginning with Shorewall 4.0.5, the two words have different + effects when Shorewall-perl is used. + + trace - Like the previous behavior. + + In the Shorewall-perl compiler, generate a stack trace + on WARNING and ERROR messages. + + In the generated script, sets the shell's -x option to + trace execution of the script. + + debug - Ignored by the Shorewall-perl compiler. + + In the generated script, causes the commands in + .iptables_restore_input to be executed as discrete iptables + commands. The failing command can thus be identified and a + diagnosis of the cause can be made. + + Users of Shorewall-lite will see the following change when using a + script that was compiled with Shorewall-perl 4.0.5 or later. + + trace - In the generated script, sets the shell's -x option to + trace execution of the script. + + debug - In the generated script, causes the commands in + .iptables_restore_input to be executed as discrete iptables + commands. The failing command can thus be identified and a + diagnosis of the cause can be made. + + In all other cases, 'debug' and 'trace' remain synonymous. In + particular, users of Shorewall-shell will see no change in + behavior. + + WARNING: The 'debug' feature in Shorewall-perl is strictly for + problem analysis. When 'debug' is used: + + a) The firewall is made 'wide open' before the rules are applied. + b) The routestopped file is not consulted and the rules are applied + in the canonical iptables-restore order (ASCIIbetical by chain). + So if you need critical hosts to be always available during + start/restart, you may not be able to use 'debug'. + +7) /usr/share/shorewall-perl/buildports.pl, + /usr/share/shorewall-perl/FallbackPorts.pm and + /usr/share/shorewall-perl/Shorewall/Ports.pm have been removed. + + Shorewall now resolves protocol and port names as using Perl's + interface to the the standard C library APIs getprotobyname() and + getservbyname(). + + Note 1: + + The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL', + 'icmp' and 'ICMP' are still resolved by Shorewall-perl + itself. + + Note 2: + + Those of you running Shorewall-perl under Cygwin may wish to + install "real" /etc/protocols and /etc/services files + in place of the symbolic links installed by Cygwin. + +8) The contents of the Shorewall::*::$VERSION variables are now a + V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is + only of interest for Perl programs that are using the modules and + specifying a minimum version (e.g., "use Shorewall::Config + 4.0.5;"). Each module continues to carry a separate version which + indicates the release of Shorewall-perl when the module was last + modified. + Migration Considerations: 1) Beginning with Shorewall 4.0.0, there is no single 'shorewall' @@ -334,15 +387,10 @@ Migration Considerations: This capability is in current distributions. - b) Now that Netfilter has features to deal reasonably with port lists, - I see no reason to duplicate those features in Shorewall. The - Bourne-shell compiler goes to great pain (in some cases) to - break very long port lists ( > 15 where port ranges in lists - count as two ports) into individual rules. In the new compiler, I'm - avoiding the ugliness required to do that. The new compiler just - generates an error if your list is too long. It will also produce - an error if you insert a port range into a port list and you don't - have extended multiport support. + b) Shorewall-perl does not attempt to break up SOURCE PORT(s) lists + longer than 15 ports (where a port range counts as two + ports). It also doesn't permit port ranges in a port list unless + the kernel and iptables support Extended Multiport Match. c) The old BRIDGING=Yes support has been replaced by new bridge support that uses the reduced 'physdev match' capabilities found @@ -439,7 +487,7 @@ Migration Considerations: - Otherwise, the rule is added to accounting only. - See http://www.shorewall.net/4.0/bridge-Shorewall-perl.html for + See http://www.shorewall.net/bridge-Shorewall-perl.html for additional information about the new bridge support. d) The BROADCAST column in the interfaces file is essentially unused; @@ -478,13 +526,20 @@ Migration Considerations: To add a rule to the chain: - add_rule( $chainref, ); + add_rule( $chainref, [, ] ); Where is a scalar argument holding the rule text. Do not include "-A " + is optional. If is + present and evaluates to True and if contains + a --dports list with more than 15 ports listed (each port + range counts as two ports), then add_rule() will break + into multiple rules, each having 15 or fewer + ports in its --dports list. + Example: add_rule( $chainref, '-j ACCEPT' ); @@ -525,11 +580,11 @@ Migration Considerations: my $chainref = $chain_table{'filter'}{'INPUT'}; - The continue script is eliminated. That script was designed to + The 'continue' script is eliminated. That script was designed to allow you to add special rules during [re]start. Shorewall-perl doesn't need such rules. - See http://www.shorewall.net/4.0/shorewall_extension_scripts.htm + See http://www.shorewall.net/shorewall_extension_scripts.htm for further information about extension scripts under Shorewall-perl. @@ -973,30 +1028,7 @@ Migration Considerations: the MARK/CLASSIFY column of /etc/shorewall/tcrules against the classes generated by /etc/shorewall/tcclasses. -10) During installation, Shorewall generates the Perl module - /usr/share/shorewall-perl/Shorewall/Ports.pm, using your - /etc/protocols and /etc/services as input. - - To re-generate the module from those two files: - - 1. Backup your current /usr/share/shorewall-perl/Shorewall/Ports.pm - file. - 2. /usr/share/shorewall-perl/buildports.pl > \ - /usr/share/shorewall-perl/Shorewall/Ports.pm - - Note: If the buildports.pl program fails to run to a successful - completion during installation, a fallback version of - module will be installed. That fallback module was generated from - the /etc/protocols and /etc/services shipped with Ubuntu Feisty - Fawn. - - Even if the buildports.pl program runs successfully, the fallback - module is also installed as - /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm. So if you - encounter problems with the generated module, simply copy the - fallback module to /usr/share/shorewall-perl/Shorewall/Ports.pm. - -11) Tuomo Soini has contributed bi-directional macros for various +10) Tuomo Soini has contributed bi-directional macros for various tunnel types: IPsecah @@ -1006,13 +1038,13 @@ Migration Considerations: IPsecnat L2TP -12) The -f option is no longer the default when Shorewall is started at +11) The -f option is no longer the default when Shorewall is started at boot time (usually via /etc/init.d/shorewall). With Shorewall-perl, "shorewall start" is nearly as fast as "shorewall restore" and "shorewall start" uses the current configuration which avoids confusion. -13) The implementation of LITEDIR has always been +12) The implementation of LITEDIR has always been unsatisfactory. Furthermore, there have been other cases where people have asked to be able to designate the state directory (default /var/lib/shorewall[-lite]). @@ -1435,3 +1467,149 @@ Other Changes in 4.0.3 This feature requires Shorewall-perl 4.0.3 as well as Shorewall-common 4.0.3. + +Problems Corrected in Shorewall 4.0.4 + +1) If no interface had the 'blacklist' option, then when using + Shorewall-perl, the 'start' and 'restart' command failed: + + ERROR: No filter chain found with name blacklst + + New Shorewall-perl 4.0.3 packages were released that corrected this + problem; it is included here for completeness. + +2) If no interface had the 'blacklist' option, then when using + Shorewall-perl, the generated script would issue this harmless + message during 'shorewall refresh': + + chainlist_reload: Not found + +3) If /bin/sh was a light-weight shell such as ash or dash, then + 'shorewall refresh' failed. + +4) During start/restart, the script generated by Shorewall-perl was + clearing the proxy_arp flag on all interfaces; that is not the + documented behavior. + +5) If the module-init-tools package was not installed and + /etc/shorewall/modules did not exist or was non-empty, then + Shorewall-perl would fail with the message: + + ERROR: Can't run lsmod : /etc/shorewall/modules (line 0) + +6) Shorewall-perl now makes a compile-time check to insure that + iptables-restore exists and is executable. This check is made when + the compiler is being run by root and the -e option is not + given. + + Note that iptables-restore must reside in the same directory as the + iptables executable specified by IPTABLES in shorewall.conf or + located by the PATH in the event that IPTABLES is not specified. + +7) When using Shorewall-perl, if an action was invoked with more than + 10 different combinations of log-levels/tags, some of those + invocations would have incorrect logging. + +8) Previously, when 'shorewall restore' was executed, the + iptables-restore utility was always located using the PATH setting + rather than the IPTABLES setting. + + With Shorewall-perl, the IPTABLES setting is now used to locate + this utility during 'restore' as it is during the processing of + other commands. + +9) Although the shorewall.conf manpage indicates that the value + 'internal' is allowed for TC_ENABLED, that value was previously + rejected ('Internal' was accepted). + +10) The meaning of the 'loose' provider option was accidentally reversed + in Shorewall-perl. Rather than causing certain routing rules to be + omitted when specified, it actually caused them to be added (these + rules were omitted when the option was NOT specified). + +11) If the 'bridge' option was specified on an interface but there were + no bport zones, then traffic originating on the firewall was not + passed through the accounting chain. + +12) In commands such as: + + shorewall compile + shorewall restart + shorewall check + + if the name of the contained a period ("."), then + Shorewall-perl would incorrectly substitute the current working + directory for the name. + +13) Previously, if the following sequence of routing rules was + specified, then the first rule would always be omitted. + + #SOURCE DEST PROVIDER PRIORITY + $SRC_A $DESTIP1 ISP1 1000 + $SRC_A $DESTIP2 SOMEISP 1000 + $SRC_A - ISP2 1000 + + The reason for this omission was that Shorewall uses a + delete-before-add approach and attempting to delete the third rule + resulted in the deletion of the first one instead. + + This problem occurred with both compilers. + +14) When using Shorewall-shell, provider numbers were not recognized in + the PROVIDER column of /etc/shorewall/route_rules. + +15) An off-by-one problem in Shorewall-perl caused the value 255 to be + rejected in the MARK column of /etc/shorewall/tcclasses. + +16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a + multiple of 256. That restriction was being enforced by + Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also + enforces this restriction. + +17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT) + failed with an "Unknown interface" error when using Shorewall-perl. + +Other Changes in Shorewall 4.0.4 + +1) The detection of 'Repeat Match' has been improved. 'Repeat Match' + is not a match at all but rather is a feature of recent versions of + iptables that allows a particular match to be used multiple times + within a single rule. + + Example: + + -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ... + + When using Shorewall-shell, the availability of 'Repeat Match' can + speed up compilation very slightly. + +2) Apparently recent Fedora releases are broken. The + following sequence of commands demonstrates the problem: + + ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5 + ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main + ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000 + + The third command should fail but doesn't; instead, it incorrectly + removes the rule added by the first command. + + To work around this issue, you can set DELETE_THEN_ADD=No in + shorewall.conf which prevents Shorewall from deleting ip rules + before attempting to add a similar rule. + +3) When using Shorewall-perl, the following message is now issued if + the 'detectnets' option is specified in /etc/shorewall/interfaces: + + WARNING: Support for the 'detectnets' option will be removed from + Shorewall-perl in version 4.0.5; better to use 'routefilter' and + 'logmartians + + The 'detect' options has always been rather silly. On input, it + duplicates the function of 'routefilter'. On output, it is a no-op + since traffic that doesn't match a route out of an interface won't + be sent through that interface (duh!). + + Beginning with Shorewall 4.0.5, the warning message will read: + + WARNING: Support for the 'detectnets' option has been removed + diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall index 072be5b86..8c3290386 100755 --- a/Shorewall-common/shorewall +++ b/Shorewall-common/shorewall @@ -118,6 +118,11 @@ # # Set the configuration variables from shorewall.conf # +# $1 = Yes: read the params file +# $2 = Yes: check for STARTUP_ENABLED +# $3 = Yes: Check for LOGFILE +# +# get_config() { ensure_config_path @@ -286,23 +291,16 @@ compiler() { # Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER # if [ -n "$SHOREWALL_DIR" ]; then + shell=$SHOREWALL_SHELL + [ -x $pc ] && set -a run_user_exit params set +a haveparams=Yes - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - progress_message "Processing $config..." - . $config - else - startup_error "Cannot read $config (Hint: Are you root?)" - fi - else - startup_error "$config does not exist!" - fi + get_config No No No + + SHOREWALL_SHELL=$shell fi # # And initiate the appropriate compiler @@ -326,7 +324,7 @@ compiler() { # Perl compiler only takes the output file as a argument - [ "$1" = debug ] && shift; + [ "$1" = debug -o "$1" = trace ] && shift; [ "$1" = nolock ] && shift; shift @@ -334,7 +332,7 @@ compiler() { [ -n "$EXPORT" ] && options="$options --export " [ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR " [ -n "$TIMESTAMP" ] && options="$options --timestamp " - [ -n "$debugging" ] && options="$options --debug " + [ "$debugging" = trace ] && options="$options --debug " [ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS" [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" # @@ -1318,7 +1316,7 @@ usage() # $1 = exit status debugging= if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then - debugging=debug + debugging=$1 shift fi diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index 3d6951380..415ad0a78 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.0.4 +%define version 4.0.5 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -240,6 +240,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Tue Oct 03 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.4-1 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf index d9f754829..5346ad8bc 100644 --- a/Shorewall-common/shorewall.conf +++ b/Shorewall-common/shorewall.conf @@ -169,6 +169,8 @@ KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes +MULTICAST=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index 4e8ab18f6..ff7c89f18 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/README.txt b/Shorewall-lite/README.txt index 33a7ffc0a..3d9b39eca 100644 --- a/Shorewall-lite/README.txt +++ b/Shorewall-lite/README.txt @@ -1 +1 @@ -This is the Shorewall-lite Development 4.0 branch of SVN. +This is the Shorewall-lite Stable 4.0 branch of SVN. diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index 8b91879dd..80c6422d8 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 3ab7763a1..fa8ac7dd3 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index 884be10f0..8d1baa0aa 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -383,7 +383,7 @@ usage() # $1 = exit status debugging= if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then - debugging=debug + debugging=$1 shift fi diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 2aa11dc60..6f7e2bbfe 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.0.4 +%define version 4.0.5 %define release 1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Tue Oct 03 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.4-1 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 2968cd0ab..9990b22f5 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { diff --git a/Shorewall-perl/README.txt b/Shorewall-perl/README.txt index 54ed2701b..fe6c514c9 100644 --- a/Shorewall-perl/README.txt +++ b/Shorewall-perl/README.txt @@ -1,2 +1,2 @@ -This is the Shorewall-perl Development 4.0 branch of SVN. +This is the Shorewall-perl Stable 4.0 branch of SVN. diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index a954cc13c..23181af72 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_accounting ); our @EXPORT_OK = qw( ); -our $VERSION = '4.03'; +our $VERSION = 4.0.3; # # Initialize globals -- we take this novel approach to globals initialization to allow diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 4f4422bcb..b5f8b5e60 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels %macros ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.04'; +our $VERSION = 4.0.4; # # Used Actions. Each action that is actually used has an entry with value 1. diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 9520c5987..06c5d0673 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -28,7 +28,6 @@ package Shorewall::Chains; require Exporter; use Shorewall::Config; -use Shorewall::Ports; use Shorewall::Zones; use Shorewall::IPAddrs; @@ -88,6 +87,7 @@ our @EXPORT = qw( STANDARD setup_zone_mss newexclusionchain clearrule + validate_portrange do_proto mac_match verify_mark @@ -126,7 +126,7 @@ our @EXPORT = qw( STANDARD %targets ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.04'; +our $VERSION = 4.0.5; # # Chain Table @@ -135,7 +135,8 @@ our $VERSION = '4.04'; # table => # is_policy => 0|1 # is_optional => 0|1 -# referenced => 0|1 +# referenced => 0|1 -- If 1, will be written to the iptables-restore-input. +# builtin => 0|1 -- If 1, one of Netfilter's built-in chains. # log => # policy => # policychain => -- self-reference if this is a policy chain @@ -370,17 +371,9 @@ sub mark_referenced( $ ) { $_[0]->{referenced} = 1; } -# -# Add a rule to a chain. Arguments are: -# -# Chain reference , Rule -# -sub add_rule($$) -{ +sub push_rule( $$ ) { my ($chainref, $rule) = @_; - $iprangematch = 0; - $rule .= qq( -m comment --comment "$comment") if $comment; if ( $chainref->{cmdlevel} ) { @@ -392,6 +385,63 @@ sub add_rule($$) } } +# +# Add a rule to a chain. Arguments are: +# +# Chain reference , Rule [, Expand-long-dest-port-lists ] +# +sub add_rule($$;$) +{ + my ($chainref, $rule, $expandports) = @_; + + $iprangematch = 0; + # + # Pre-processing the port lists as was done in Shorewall-shell results in port-list + # processing driving the rest of rule generation. + # + # By post-processing each rule generated by expand_rule(), we avoid all of that + # messiness and replace it with the following localized messiness. + # + # Because source ports are seldom specified and source port lists are rarer still, + # we only worry about the destination ports. + # + if ( $expandports && $rule =~ '^(.* --dports\s+)([^ ]+)(.*)$' ) { + my ($first, $ports, $rest) = ( $1, $2, $3 ); + + if ( ( $ports =~ tr/:,/:,/ ) > 15 ) { + my @ports = split '([,:])', $ports; + + while ( @ports ) { + my $count = 0; + my $newports = ''; + + while ( @ports && $count < 15 ) { + my ($port, $separator) = ( shift @ports, shift @ports ); + + $separator ||= ''; + + if ( ++$count == 15 ) { + if ( $separator eq ':' ) { + unshift @ports, $port, ':'; + last; + } else { + $newports .= $port; + } + } else { + $newports .= "${port}${separator}"; + } + } + + push_rule ( $chainref, join( '', $first, $newports, $rest ) ); + } + } else { + push_rule ( $chainref, $rule ); + } + } else { + push_rule ( $chainref, $rule ); + } +} + # # Insert a rule into a chain. Arguments are: # @@ -503,7 +553,7 @@ sub dynamic_chains( $ ) #$1 = interface { my $c = chain_base_cond($_[0]); - [ $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ]; + ( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ); } # @@ -537,7 +587,7 @@ sub first_chains( $ ) #$1 = interface { my $c = chain_base_cond($_[0]); - [ $c . '_fwd', $c . '_in' ]; + ( $c . '_fwd', $c . '_in' ); } # @@ -759,36 +809,57 @@ sub clearrule() { $iprangematch = 0; } -sub validate_proto( $ ) { +# +# Resolve the contents of the PROTO column. +# + +our %nametoproto = ( all => 0, ALL => 0, icmp => 1, ICMP => 1, tcp => 6, TCP => 6, udp => 17, UDP => 17 ); +our @prototoname = ( 'all', 'icmp', '', '', '', '', 'tcp', '', '', '', '', '', '', '', '', '', '', 'udp' ); + +# +# Returns the protocol number if the passed argument is a valid protocol number or name. Returns undef otherwise +# +sub resolve_proto( $ ) { my $proto = $_[0]; - my $value = $protocols{$proto}; - return $value if defined $value; - return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535; - return $proto if $proto eq 'all'; - fatal_error "Invalid/Unknown protocol ($proto)"; + my $number; + + $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto; } -sub validate_portpair( $ ) { - my $portpair = $_[0]; +sub proto_name( $ ) { + my $proto = $_[0]; + + $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto +} + +sub validate_port( $$ ) { + my ($proto, $port) = @_; + + my $value; + + if ( $port =~ /^(\d+)$/ ) { + return $port if $port <= 65535; + } else { + $proto = getprotobyname $proto if $proto =~ /^(\d+)$/; + $value = getservbyname( $port, $proto ); + } + + fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value; + + $value; +} + +sub validate_portpair( $$ ) { + my ($proto, $portpair) = @_; fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1; $portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':'; $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':'; - my @ports = split/:/, $portpair, 2; + my @ports = split /:/, $portpair, 2; - for my $port ( @ports ) { - my $value = $services{$port}; - - unless ( defined $value ) { - $value = $port if $port =~ /^(\d+)$/ && $port <= 65535; - } - - fatal_error "Invalid/Unknown port/service ($port)" unless defined $value; - - $port = $value; - } + $_ = validate_port( $proto, $_) for ( @ports ); if ( @ports == 2 ) { fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1]; @@ -798,17 +869,38 @@ sub validate_portpair( $ ) { } -sub validate_port_list( $ ) { +sub validate_portrange( $$ ) { + my ($proto, $portpair) = @_; + + if ( $portpair =~ tr/-/-/ > 1 || substr( $portpair, 0, 1 ) eq '-' || substr( $portpair, -1, 1 ) eq '-' ) { + fatal_error "Invalid port range ($portpair)"; + } + + my @ports = split /-/, $portpair, 2; + + $_ = validate_port( proto_name( $proto ), $_) for ( @ports ); + + if ( @ports == 2 ) { + fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1]; + } + + join '-', @ports; + +} + +sub validate_port_list( $$ ) { my $result = ''; - my $list = $_[0]; + my ( $proto, $list ) = @_; my @list = split/,/, $list; if ( @list > 1 && $list =~ /:/ ) { require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' ); } + $proto = proto_name $proto; + for ( @list ) { - my $value = validate_portpair( $_ ); + my $value = validate_portpair( $proto , $_ ); $result = $result ? join ',', $result, $value : $value; } @@ -886,65 +978,93 @@ sub do_proto( $$$ ) $ports = '' if $ports eq '-'; $sports = '' if $sports eq '-'; - if ( $proto ) { - if ( $proto =~ /^(((tcp|6)((:syn)?))|(udp|17))$/ ) { + if ( $proto ne '' ) { + + my $synonly = ( $proto =~ s/:syn$//i ); - if ( $4 ) { - $output = '-p 6 --syn '; - } else { - $proto = $protocols{$proto} if defined $protocols{$proto}; + my $protonum = resolve_proto $proto; + + if ( defined $protonum ) { + # + # Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent + # + my $pname = proto_name( $proto = $protonum ); + # + # $proto now contains the protocol number and $pname contains the canonical name of the protocol + # + unless ( $synonly ) { $output = "-p $proto "; - } - - my $multiport = 0; - - if ( $ports ne '' ) { - if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { - fatal_error "Port list requires Multiport support in your kernel/iptables ($ports)" unless $capabilities{MULTIPORT}; - fatal_error "Too many entries in port list ($ports)" if port_count( $ports ) > 15; - $ports = validate_port_list $ports; - $output .= "-m multiport --dports $ports "; - $multiport = 1; - } else { - $ports = validate_portpair $ports; - $output .= "--dport $ports "; - } } else { - $multiport = ( ( $sports =~ tr/,/,/ ) > 0 ); + fatal_error '":syn" is only allowed with tcp' unless $proto == TCP; + $output = "-p $proto --syn "; } - if ( $sports ne '' ) { - if ( $multiport ) { - fatal_error "Too many entries in port list ($sports)" if port_count( $sports ) > 15; - $sports = validate_port_list $sports; - $output .= "-m multiport --sports $sports "; - } else { - $sports = validate_portpair $sports; - $output .= "--sport $sports "; - } - } - } elsif ( $proto =~ /^(icmp|1)$/i ) { - fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; - $output .= "-p icmp "; + PROTO: + { - if ( $ports ne '' ) { - $ports = validate_icmp $ports; - $output .= "--icmp-type $ports "; - } + if ( $proto == TCP || $proto == UDP ) { + my $multiport = 0; + + if ( $ports ne '' ) { + if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { + fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT}; + $ports = validate_port_list $pname , $ports; + $output .= "-m multiport --dports $ports "; + $multiport = 1; + } else { + $ports = validate_portpair $pname , $ports; + $output .= "--dport $ports "; + } + } else { + $multiport = ( ( $sports =~ tr/,/,/ ) > 0 ); + } + + if ( $sports ne '' ) { + if ( $multiport ) { + fatal_error "Too many entries in SOURCE PORT(S) list" if port_count( $sports ) > 15; + $sports = validate_port_list $pname , $sports; + $output .= "-m multiport --sports $sports "; + } else { + $sports = validate_portpair $pname , $sports; + $output .= "--sport $sports "; + } + } + + last PROTO; } + + if ( $proto == ICMP ) { + if ( $ports ne '' ) { + fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/; + $ports = validate_icmp $ports; + $output .= "--icmp-type $ports "; + } + + fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; + + last PROTO; } + + fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; + + } # PROTO - fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; - } elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) { - require_capability( 'IPP2P_MATCH' , 'PROTO = ipp2p' , 's' ); - $proto = $2 ? $3 : 'tcp'; - $ports = 'ipp2p' unless $ports; - $output .= "-p $proto -m ipp2p --$ports "; } else { - fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto" if $ports ne '' || $sports ne ''; - $proto = validate_proto $proto; - $output .= "-p $proto "; + fatal_error '":syn" is only allowed with tcp' if $synonly; + + if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) { + my $p = $2 ? lc $3 : 'tcp'; + require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' ); + $proto = "-p $nametoproto{$p} "; + $ports = 'ipp2p' unless $ports; + $output .= "${proto}-m ipp2p --$ports "; + } else { + fatal_error "Invalid/Unknown protocol ($proto)" + } } - } elsif ( $ports ne '' || $sports ne '' ) { - fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" + } else { + # + # No protocol + # + fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne ''; } $output; @@ -1251,6 +1371,8 @@ sub log_rule_limit( $$$$$$$$ ) { return 1 if $level eq ''; + $predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' '; + unless ( $predicates =~ /-m limit / ) { $limit = $globals{LOGLIMIT} unless $limit && $limit ne '-'; $predicates .= $limit if $limit; @@ -1284,10 +1406,8 @@ sub log_rule_limit( $$$$$$$$ ) { $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" "; } - $predicates .= ' ' if $predicates && substr( $predicates, -1, 1 ) ne ' '; - if ( $command eq 'add' ) { - add_rule ( $chainref, $predicates . $prefix ); + add_rule ( $chainref, $predicates . $prefix , 1 ); } else { insert_rule ( $chainref , 1 , $predicates . $prefix ); } @@ -1702,7 +1822,7 @@ sub expand_rule( $$$$$$$$$$ ) # # We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE} # - add_rule $chainref, join( '', $rule, match_source_net( $inet), match_dest_net( $dnet ), $onet, "-j $echain" ); + add_rule( $chainref, join( '', $rule, match_source_net( $inet), match_dest_net( $dnet ), $onet, "-j $echain" ), 1 ); } } } @@ -1725,7 +1845,7 @@ sub expand_rule( $$$$$$$$$$ ) # # Generate Final Rule # - add_rule( $echainref, $exceptionrule . $target ) unless $disposition eq 'LOG'; + add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; } else { # # No exclusions @@ -1750,9 +1870,10 @@ sub expand_rule( $$$$$$$$$$ ) } unless ( $disposition eq 'LOG' ) { - add_rule - $chainref, - join( '', $rule, match_source_net ($inet), match_dest_net( $dnet ), $onet, $target ); + add_rule( + $chainref, + join( '', $rule, match_source_net ($inet), match_dest_net( $dnet ), $onet, $target ) , + 1 ); } } } @@ -1968,9 +2089,11 @@ sub create_netfilter_load() { # emit( 'exec 3>&-', '', - 'progress_message2 "Running iptables-restore..."', + '[ -n "$DEBUG" ] && command=debug_restore_input || command=$IPTABLES_RESTORE', '', - 'cat ${VARDIR}/.iptables-restore-input | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux', + 'progress_message2 "Running $command..."', + '', + 'cat ${VARDIR}/.iptables-restore-input | $command # Use this nonsensical form to appease SELinux', 'if [ $? != 0 ]; then', ' fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"', "fi\n" diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 95576d7c5..e1e70ed51 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -41,7 +41,7 @@ use Shorewall::Proxyarp; our @ISA = qw(Exporter); our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); our @EXPORT_OK = qw( $export ); -our $VERSION = '4.04'; +our $VERSION = 4.0.4; our $export; @@ -485,11 +485,12 @@ EOF # parsing routines that are called directly out of 'compiler()'. # # We create two separate functions rather than one so that the -# define_firewall() shell can set global IP configuration variables +# define_firewall() shell function can set global IP configuration variables # after the old config has been cleared and before we start instantiating # the new config. That way, the variables reflect the way that the # distribution's tools have configured IP without any Shorewall -# modifications. +# modifications and the firewall configuration is the same after +# 'restart' as it is after 'start'. # # Note: This function is not called when $command eq 'check'. So it must have no side effects other # than those related to writing to the object file. diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 296b583ba..0990b8ed5 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -94,7 +94,7 @@ our @EXPORT = qw( %capabilities ); our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path ); -our $VERSION = '4.04'; +our $VERSION = 4.0.5; # # describe the current command, it's present progressive, and it's completion. @@ -230,7 +230,7 @@ sub initialize() { ORIGINAL_POLICY_MATCH => '', LOGPARMS => '', TC_SCRIPT => '', - VERSION => '4.0.4', + VERSION => '4.0.5', CAPVERSION => 40003 , ); # @@ -552,8 +552,14 @@ sub copy( $ ) { open IF , $file or fatal_error "Unable to open $file: $!"; while ( ) { - s/^/$indent/ if $indent; - print $object $_; + if ( /^\s*$/ ) { + print $object "\n" unless $lastlineblank; + $lastlineblank = 1; + } else { + s/^/$indent/ if $indent; + print $object $_; + $lastlineblank = 0; + } } close IF; @@ -1468,7 +1474,7 @@ sub get_configuration( $ ) { default_yes_no 'EXPAND_POLICIES' , ''; default_yes_no 'KEEP_RT_TABLES' , ''; default_yes_no 'DELETE_THEN_ADD' , 'Yes'; - default_yes_no 'MULTICAST ' , ''; + default_yes_no 'MULTICAST' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; diff --git a/Shorewall-perl/Shorewall/FallbackPorts.pm b/Shorewall-perl/Shorewall/FallbackPorts.pm deleted file mode 100644 index d647a0825..000000000 --- a/Shorewall-perl/Shorewall/FallbackPorts.pm +++ /dev/null @@ -1,518 +0,0 @@ -# -# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Ports.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module exports the %protocols and %services hashes built from -# /etc/protocols and /etc/services respectively. -# -# Module generated using buildports.pl 4.0.0-Beta7 - Fri Jun 29 14:10:45 2007 -# -package Shorewall::Ports; - -use strict; -use warnings; - -our @ISA = qw(Exporter); -our @EXPORT = qw( %protocols %services ); -our @EXPORT_OK = qw(); -our $VERSION = '4.00'; - -our %protocols = ( - ip => 0, - IP => 0, - icmp => 1, - ICMP => 1, - igmp => 2, - IGMP => 2, - ggp => 3, - GGP => 3, - ipencap => 4, - 'IP-ENCAP' => 4, - st => 5, - ST => 5, - tcp => 6, - TCP => 6, - egp => 8, - EGP => 8, - igp => 9, - IGP => 9, - pup => 12, - PUP => 12, - udp => 17, - UDP => 17, - hmp => 20, - HMP => 20, - 'xns-idp' => 22, - 'XNS-IDP' => 22, - rdp => 27, - RDP => 27, - 'iso-tp4' => 29, - 'ISO-TP4' => 29, - xtp => 36, - XTP => 36, - ddp => 37, - DDP => 37, - 'idpr-cmtp' => 38, - 'IDPR-CMTP' => 38, - ipv6 => 41, - IPv6 => 41, - 'ipv6-route' => 43, - 'IPv6-Route' => 43, - 'ipv6-frag' => 44, - 'IPv6-Frag' => 44, - idrp => 45, - IDRP => 45, - rsvp => 46, - RSVP => 46, - gre => 47, - GRE => 47, - esp => 50, - 'IPSEC-ESP' => 50, - ah => 51, - 'IPSEC-AH' => 51, - skip => 57, - SKIP => 57, - 'ipv6-icmp' => 58, - 'IPv6-ICMP' => 58, - 'ipv6-nonxt' => 59, - 'IPv6-NoNxt' => 59, - 'ipv6-opts' => 60, - 'IPv6-Opts' => 60, - rspf => 73, - RSPF => 73, - CPHB => 73, - vmtp => 81, - VMTP => 81, - eigrp => 88, - EIGRP => 88, - ospf => 89, - OSPFIGP => 89, - 'ax.25' => 93, - 'AX.25' => 93, - ipip => 94, - IPIP => 94, - etherip => 97, - ETHERIP => 97, - encap => 98, - ENCAP => 98, - pim => 103, - PIM => 103, - ipcomp => 108, - IPCOMP => 108, - vrrp => 112, - VRRP => 112, - l2tp => 115, - L2TP => 115, - isis => 124, - ISIS => 124, - sctp => 132, - SCTP => 132, - fc => 133, - FC => 133, - ); - -our %services = ( - tcpmux => 1, - echo => 7, - discard => 9, - sink => 9, - null => 9, - systat => 11, - users => 11, - daytime => 13, - netstat => 15, - qotd => 17, - quote => 17, - msp => 18, - chargen => 19, - ttytst => 19, - source => 19, - 'ftp-data' => 20, - ftp => 21, - fsp => 21, - fspd => 21, - ssh => 22, - telnet => 23, - smtp => 25, - mail => 25, - time => 37, - timserver => 37, - rlp => 39, - resource => 39, - nameserver => 42, - name => 42, - whois => 43, - nicname => 43, - tacacs => 49, - 're-mail-ck' => 50, - domain => 53, - mtp => 57, - 'tacacs-ds' => 65, - bootps => 67, - bootpc => 68, - tftp => 69, - gopher => 70, - rje => 77, - netrjs => 77, - finger => 79, - www => 80, - http => 80, - link => 87, - ttylink => 87, - kerberos => 88, - kerberos5 => 88, - krb5 => 88, - 'kerberos-sec' => 88, - supdup => 95, - hostnames => 101, - hostname => 101, - 'iso-tsap' => 102, - tsap => 102, - 'acr-nema' => 104, - dicom => 104, - 'csnet-ns' => 105, - 'cso-ns' => 105, - rtelnet => 107, - pop2 => 109, - postoffice => 109, - 'pop-2' => 109, - pop3 => 110, - 'pop-3' => 110, - sunrpc => 111, - portmapper => 111, - auth => 113, - authentication => 113, - tap => 113, - ident => 113, - sftp => 115, - 'uucp-path' => 117, - nntp => 119, - readnews => 119, - untp => 119, - ntp => 123, - pwdgen => 129, - 'loc-srv' => 135, - epmap => 135, - 'netbios-ns' => 137, - 'netbios-dgm' => 138, - 'netbios-ssn' => 139, - imap2 => 143, - imap => 143, - snmp => 161, - 'snmp-trap' => 162, - snmptrap => 162, - 'cmip-man' => 163, - 'cmip-agent' => 164, - mailq => 174, - xdmcp => 177, - nextstep => 178, - NeXTStep => 178, - NextStep => 178, - bgp => 179, - prospero => 191, - irc => 194, - smux => 199, - 'at-rtmp' => 201, - 'at-nbp' => 202, - 'at-echo' => 204, - 'at-zis' => 206, - qmtp => 209, - z3950 => 210, - wais => 210, - ipx => 213, - imap3 => 220, - pawserv => 345, - zserv => 346, - fatserv => 347, - rpc2portmap => 369, - codaauth2 => 370, - clearcase => 371, - Clearcase => 371, - ulistserv => 372, - ldap => 389, - imsp => 406, - https => 443, - snpp => 444, - 'microsoft-ds' => 445, - kpasswd => 464, - saft => 487, - isakmp => 500, - rtsp => 554, - nqs => 607, - 'npmp-local' => 610, - dqs313_qmaster => 610, - 'npmp-gui' => 611, - dqs313_execd => 611, - 'hmmp-ind' => 612, - dqs313_intercell => 612, - ipp => 631, - exec => 512, - biff => 512, - comsat => 512, - login => 513, - who => 513, - whod => 513, - shell => 514, - cmd => 514, - syslog => 514, - printer => 515, - spooler => 515, - talk => 517, - ntalk => 518, - route => 520, - router => 520, - routed => 520, - timed => 525, - timeserver => 525, - tempo => 526, - newdate => 526, - courier => 530, - rpc => 530, - conference => 531, - chat => 531, - netnews => 532, - netwall => 533, - gdomap => 538, - uucp => 540, - uucpd => 540, - klogin => 543, - kshell => 544, - krcmd => 544, - afpovertcp => 548, - remotefs => 556, - rfs_server => 556, - rfs => 556, - nntps => 563, - snntp => 563, - submission => 587, - ldaps => 636, - tinc => 655, - silc => 706, - 'kerberos-adm' => 749, - webster => 765, - rsync => 873, - 'ftps-data' => 989, - ftps => 990, - telnets => 992, - imaps => 993, - ircs => 994, - pop3s => 995, - socks => 1080, - proofd => 1093, - rootd => 1094, - openvpn => 1194, - rmiregistry => 1099, - kazaa => 1214, - nessus => 1241, - lotusnote => 1352, - lotusnotes => 1352, - 'ms-sql-s' => 1433, - 'ms-sql-m' => 1434, - ingreslock => 1524, - 'prospero-np' => 1525, - datametrics => 1645, - 'old-radius' => 1645, - 'sa-msg-port' => 1646, - 'old-radacct' => 1646, - kermit => 1649, - l2f => 1701, - l2tp => 1701, - radius => 1812, - 'radius-acct' => 1813, - radacct => 1813, - msnp => 1863, - 'unix-status' => 1957, - 'log-server' => 1958, - remoteping => 1959, - nfs => 2049, - 'rtcm-sc104' => 2101, - cvspserver => 2401, - venus => 2430, - 'venus-se' => 2431, - codasrv => 2432, - 'codasrv-se' => 2433, - mon => 2583, - dict => 2628, - gpsd => 2947, - gds_db => 3050, - icpv2 => 3130, - icp => 3130, - mysql => 3306, - nut => 3493, - distcc => 3632, - daap => 3689, - svn => 3690, - subversion => 3690, - iax => 4569, - 'radmin-port' => 4899, - rfe => 5002, - mmcc => 5050, - sip => 5060, - 'sip-tls' => 5061, - aol => 5190, - 'xmpp-client' => 5222, - 'jabber-client' => 5222, - 'xmpp-server' => 5269, - 'jabber-server' => 5269, - cfengine => 5308, - postgresql => 5432, - postgres => 5432, - x11 => 6000, - 'x11-0' => 6000, - 'x11-1' => 6001, - 'x11-2' => 6002, - 'x11-3' => 6003, - 'x11-4' => 6004, - 'x11-5' => 6005, - 'x11-6' => 6006, - 'x11-7' => 6007, - 'gnutella-svc' => 6346, - 'gnutella-rtr' => 6347, - 'afs3-fileserver' => 7000, - bbs => 7000, - 'afs3-callback' => 7001, - 'afs3-prserver' => 7002, - 'afs3-vlserver' => 7003, - 'afs3-kaserver' => 7004, - 'afs3-volser' => 7005, - 'afs3-errors' => 7006, - 'afs3-bos' => 7007, - 'afs3-update' => 7008, - 'afs3-rmtsys' => 7009, - 'font-service' => 7100, - xfs => 7100, - 'bacula-dir' => 9101, - 'bacula-fd' => 9102, - 'bacula-sd' => 9103, - amanda => 10080, - hkp => 11371, - bprd => 13720, - bpdbm => 13721, - 'bpjava-msvc' => 13722, - vnetd => 13724, - bpcd => 13782, - vopied => 13783, - wnn6 => 22273, - kerberos4 => 750, - 'kerberos-iv' => 750, - kdc => 750, - kerberos_master => 751, - passwd_server => 752, - krb_prop => 754, - krb5_prop => 754, - hprop => 754, - krbupdate => 760, - kreg => 760, - swat => 901, - kpop => 1109, - knetd => 2053, - 'zephyr-srv' => 2102, - 'zephyr-clt' => 2103, - 'zephyr-hm' => 2104, - eklogin => 2105, - kx => 2111, - iprop => 2121, - supfilesrv => 871, - supfiledbg => 1127, - linuxconf => 98, - poppassd => 106, - ssmtp => 465, - smtps => 465, - moira_db => 775, - moira_update => 777, - moira_ureg => 779, - spamd => 783, - omirr => 808, - omirrd => 808, - customs => 1001, - skkserv => 1178, - predict => 1210, - rmtcfg => 1236, - wipld => 1300, - xtel => 1313, - xtelw => 1314, - support => 1529, - sieve => 2000, - cfinger => 2003, - ndtp => 2010, - frox => 2121, - ninstall => 2150, - zebrasrv => 2600, - zebra => 2601, - ripd => 2602, - ripngd => 2603, - ospfd => 2604, - bgpd => 2605, - ospf6d => 2606, - ospfapi => 2607, - isisd => 2608, - afbackup => 2988, - afmbackup => 2989, - xtell => 4224, - fax => 4557, - hylafax => 4559, - distmp3 => 4600, - munin => 4949, - lrrd => 4949, - 'enbd-cstatd' => 5051, - 'enbd-sstatd' => 5052, - pcrd => 5151, - noclog => 5354, - hostmon => 5355, - rplay => 5555, - rptp => 5556, - nsca => 5667, - mrtd => 5674, - bgpsim => 5675, - canna => 5680, - 'sane-port' => 6566, - sane => 6566, - saned => 6566, - ircd => 6667, - 'zope-ftp' => 8021, - webcache => 8080, - tproxy => 8081, - omniorb => 8088, - 'clc-build-daemon' => 8990, - xinetd => 9098, - mandelspawn => 9359, - mandelbrot => 9359, - zope => 9673, - kamanda => 10081, - amandaidx => 10082, - amidxtape => 10083, - smsqp => 11201, - xpilot => 15345, - 'sgi-cmsd' => 17001, - 'sgi-crsd' => 17002, - 'sgi-gcd' => 17003, - 'sgi-cad' => 17004, - isdnlog => 20011, - vboxd => 20012, - binkp => 24554, - asp => 27374, - csync2 => 30865, - dircproxy => 57000, - tfido => 60177, - fido => 60179, - ); - -1; diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm index c086c5b21..c8154e6d1 100644 --- a/Shorewall-perl/Shorewall/IPAddrs.pm +++ b/Shorewall-perl/Shorewall/IPAddrs.pm @@ -30,6 +30,9 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( ALLIPv4 + TCP + UDP + ICMP validate_address validate_net @@ -40,14 +43,14 @@ our @EXPORT = qw( ALLIPv4 rfc1918_neworks ); our @EXPORT_OK = qw( ); -our $VERSION = '4.04'; +our $VERSION = 4.0.5; # # Some IPv4 useful stuff # our @allipv4 = ( '0.0.0.0/0' ); -use constant { ALLIPv4 => '0.0.0.0/0' }; +use constant { ALLIPv4 => '0.0.0.0/0' , ICMP => 1, TCP => 6, UDP => 17 }; our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); @@ -141,8 +144,9 @@ sub ip_range_explicit( $ ) { my $first = decodeaddr $low; my $last = decodeaddr $high; + my $diff = $last - $first; - fatal_error "Invalid IP Range ($range)" unless $first <= $last; + fatal_error "Invalid IP Range ($range)" unless $diff >= 0 && $diff <= 256; while ( ++$first <= $last ) { push @result, encodeaddr( $first ); diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index 321a7bcbd..9f6f47ae6 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -36,7 +36,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses ); our @EXPORT_OK = (); -our $VERSION = '4.03'; +our $VERSION = 4.0.3; our @addresses_to_add; our %addresses_to_add; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index ebd0aaa0c..4f10b0848 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -34,7 +34,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT_OK = qw( ); -our $VERSION = '4.03'; +our $VERSION = 4.0.5; # @policy_chains is a list of references to policy chains in the filter table @@ -333,6 +333,12 @@ sub validate_policy() print_policy $client, $server, $policy, $chain; } } + + for $zone ( all_zones ) { + for my $zone1 ( all_zones ) { + fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy}; + } + } } # @@ -369,7 +375,7 @@ sub default_policy( $$$ ) { my $policy = $policyref->{policy}; my $loglevel = $policyref->{loglevel}; - fatal_error "No default policy for $_[1] to zone $_[2]" unless $policyref; + fatal_error "Internal error in default_policy()" unless $policyref; if ( $chainref eq $policyref ) { policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST}; diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index 56031adac..383fea190 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -42,7 +42,7 @@ our @EXPORT = qw( setup_forwarding ); our @EXPORT_OK = qw( ); -our $VERSION = '4.01'; +our $VERSION = 4.0.1; # # ARP Filtering @@ -96,6 +96,7 @@ sub setup_route_filtering() { save_progress_message "Setting up Route Filtering..."; + if ( $config{ROUTE_FILTER} ) { my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0; @@ -114,11 +115,15 @@ sub setup_route_filtering() { " error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface); emit "fi\n"; } - # - # According to Documentation/networking/ip-sysctl.txt, this must be turned on to do any filtering - # + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; + if ( $config{ROUTE_FILTER} eq 'on' ) { + emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter'; + } elsif ( $config{ROUTE_FILTER} eq 'off' ) { + emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; + } + emit "[ -n \"\$NOROUTES\" ] || ip route flush cache"; } } @@ -155,6 +160,14 @@ sub setup_martian_logging() { " error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface); emit "fi\n"; } + + if ( $config{LOG_MARTIANS} eq 'on' ) { + emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; + emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians'; + } elsif ( $config{LOG_MARTIANS} eq 'off' ) { + emit 'echo 0 > /proc/sys/net/ipv4/conf/all/log_martians'; + emit 'echo 0 > /proc/sys/net/ipv4/conf/default/log_martians'; + } } } diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 9ffca1e51..2d434caad 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_providers @routemarked_interfaces); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.03'; +our $VERSION = 4.0.3; use constant { LOCAL_NUMBER => 255, MAIN_NUMBER => 254, diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index d10555af2..ad7c7af9f 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -35,7 +35,7 @@ our @EXPORT = qw( ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.01'; +our $VERSION = 4.0.1; our @proxyarp; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 1c653bb5a..8c8936195 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos dump_rule_chains ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = '4.04'; +our $VERSION = 4.0.5; # # Keep track of chains for the /var/lib/shorewall[-lite]/chains file @@ -265,7 +265,7 @@ sub setup_rfc1918_filteration( $ ) { my $interface = $hostref->[0]; my $ipsec = $hostref->[1]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - for my $chain ( @{first_chains $interface}) { + for my $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); } } @@ -338,7 +338,7 @@ sub setup_blacklist() { my $network = $hostref->[2]; my $source = match_source_net $network; - for my $chain ( @{first_chains $interface}) { + for my $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; } @@ -502,10 +502,7 @@ sub add_common_rules() { my $chain; if ( $config{FASTACCEPT} ) { - for $chain qw( INPUT FORWARD OUTPUT ) { - $chainref = $filter_table->{$chain}; - add_rule( $chainref , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ); - } + add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT ); } my $rejectref = new_standard_chain 'reject'; @@ -520,7 +517,7 @@ sub add_common_rules() { my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; for $interface ( all_interfaces ) { - for $chain ( @{first_chains $interface} ) { + for $chain ( first_chains $interface ) { add_rule new_standard_chain( $chain ) , "$state -j dynamic"; } @@ -567,7 +564,7 @@ sub add_common_rules() { $interface = $hostref->[0]; my $ipsec = $hostref->[1]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - for $chain ( @{first_chains $interface}) { + for $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" ); } } @@ -639,18 +636,16 @@ sub add_common_rules() { add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition"; for my $hostref ( @$list ) { - $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - for $chain ( @{first_chains $interface}) { - add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" ); + my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : ''; + for $chain ( first_chains $hostref->[0] ) { + add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" ); } } } if ( $config{DYNAMIC_ZONES} ) { for $interface ( all_interfaces ) { - for $chain ( @{dynamic_chains $interface} ) { + for $chain ( dynamic_chains $interface ) { new_standard_chain $chain; } @@ -792,7 +787,7 @@ sub setup_mac_lists( $ ) { my $source = match_source_net $hostref->[2]; my $target = mac_chain $interface; if ( $table eq 'filter' ) { - for my $chain ( @{first_chains $interface}) { + for my $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target"; } } else { @@ -866,7 +861,7 @@ sub process_macro ( $$$$$$$$$$$$$ ) { $mtarget = merge_levels $target, $mtarget; - if ( $mtarget =~ /^PARAM:?/ ) { + if ( $mtarget =~ /^PARAM(:.*)?$/ ) { fatal_error 'PARAM requires a parameter to be supplied in macro invocation' unless $param ne ''; $mtarget = substitute_param $param, $mtarget; } @@ -920,7 +915,8 @@ sub process_macro ( $$$$$$$$$$$$$ ) { } # -# Once a rule has been completely resolved by macro expansion and wildcard (source and/or dest zone == 'all'), it is processed by this function. +# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If +# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # sub process_rule1 ( $$$$$$$$$$$ ) { my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $wildcard ) = @_; @@ -998,7 +994,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { if ( $dest eq '-' ) { $dest = firewall_zone; } else { - $dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /(.+?)::/; + $dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /:/; } } elsif ( $action eq 'REJECT' ) { $action = 'reject'; @@ -1031,9 +1027,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) { $dest = ALLIPv4; } - fatal_error "Missing source zone" if $sourcezone eq '-'; + fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); - fatal_error "Missing destination zone" if $destzone eq '-'; + fatal_error "Missing destination zone" if $destzone eq '-' || $destzone =~ /^:/; fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone ); my $restriction = NO_RESTRICT; @@ -1043,6 +1039,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { } else { $restriction = INPUT_RESTRICT if $destzone eq firewall_zone; } + # # Check for illegal bridge port rule # @@ -1052,22 +1049,19 @@ sub process_rule1 ( $$$$$$$$$$$ ) { fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge"; } } + # # Take care of chain # my $chain = "${sourcezone}2${destzone}"; my $chainref = ensure_chain 'filter', $chain; - # - # Validate Policy - # my $policy = $chainref->{policy}; - fatal_error "No policy defined from zone $sourcezone to zone $destzone" unless $policy; - if ( $policy eq 'NONE' ) { return 1 if $wildcard; fatal_error "Rules may not override a NONE policy"; } + # # Handle Optimization # @@ -1079,6 +1073,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { return 1 if $basictarget eq $policy; } } + # # Mark the chain as referenced and add appropriate rules from earlier sections. # @@ -1108,9 +1103,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # # Isolate server port # - if ( $dest =~ /^(.*)(:(\d+))$/ ) { + if ( $dest =~ /^(.*)(:(.+))$/ ) { $server = $1; - $serverport = $3; + $serverport = validate_portrange $proto, $3; } else { $server = $dest; $serverport = ''; @@ -1120,15 +1115,14 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # After DNAT, dest port will be the server port. Capture it here because $serverport gets modified below. # my $servport = $serverport ne '' ? $serverport : $ports; - - fatal_error "A server must be specified in the DEST column in $action rules" unless ( $actiontype & REDIRECT ) || $server ne ALLIPv4; # # Generate the target # my $target = ''; if ( $actiontype & REDIRECT ) { - $target = '-j REDIRECT --to-port ' . ( $serverport ne '' ? $serverport : $ports ); + fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server; + $target = '-j REDIRECT --to-port ' . $servport; if ( $origdest eq '' || $origdest eq '-' ) { $origdest = ALLIPv4; } elsif ( $origdest eq 'detect' ) { @@ -1141,6 +1135,10 @@ sub process_rule1 ( $$$$$$$$$$$ ) { } } } else { + fatal_error "A server must be specified in the DEST column in $action rules" if $server eq ''; + + validate_address $server, 0; + if ( $action eq 'SAME' ) { fatal_error 'Port mapping not allowed in SAME rules' if $serverport; fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone; @@ -1188,6 +1186,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # - the target will be ACCEPT. # unless ( $actiontype & NATONLY ) { + $servport =~ tr/-/:/ if $servport ne '-'; $rule = join( '', do_proto( $proto, $servport, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) ); $loglevel = ''; $dest = $server; @@ -1601,7 +1600,7 @@ sub generate_matrix() { if $hostref->{options}{broadcast}; } - next if$hostref->{options}{destonly}; + next if $hostref->{options}{destonly}; my $source = match_source_net $net; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index b028787bb..278675983 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -39,7 +39,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = '4.04'; +our $VERSION = 4.0.5; our %tcs = ( T => { chain => 'tcpost', connmark => 0, @@ -367,12 +367,13 @@ sub validate_tc_class( $$$$$$ ) { my $markval = numeric_value( $mark ); fatal_error "Duplicate Mark ($mark)" if $tcref->{$markval}; - $tcref->{$markval} = {}; - $tcref = $tcref->{$markval}; - $tcref->{tos} = []; - $tcref->{rate} = convert_rate $full, $rate; - $tcref->{ceiling} = convert_rate $full, $ceil; - $tcref->{priority} = $prio eq '-' ? 1 : $prio; + $tcref->{$markval} = { tos => [] , + rate => convert_rate( $full, $rate ) , + ceiling => convert_rate( $full, $ceil ) , + priority => $prio eq '-' ? 1 : $prio + }; + + $tcref = $tcref->{$markval}; unless ( $options eq '-' ) { for my $option ( split /,/, "\L$options" ) { diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 0e19c0680..4bb1038ce 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -33,7 +33,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tunnels ); our @EXPORT_OK = ( ); -our $VERSION = '4.03'; +our $VERSION = 4.0.3; # # Here starts the tunnel stuff -- we really should get rid of this crap... diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index d7b9cc2fb..8bd6cb448 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -64,7 +64,7 @@ our @EXPORT = qw( NOTHING ); our @EXPORT_OK = qw( initialize ); -our $VERSION = '4.04'; +our $VERSION = 4.0.5; # # IPSEC Option types @@ -968,6 +968,7 @@ sub validate_hosts_file() $capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones; } + # # Returns a reference to a array of host entries. Each entry is a # reference to an array containing ( interface , polciy match type {ipsec|none} , network ); diff --git a/Shorewall-perl/buildports.pl b/Shorewall-perl/buildports.pl deleted file mode 100755 index 9704c1cc3..000000000 --- a/Shorewall-perl/buildports.pl +++ /dev/null @@ -1,165 +0,0 @@ -#! /usr/bin/perl -w -# -# Tool for building Shorewall::Ports. -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Usage: -# -# buildports.pl [ ] > /usr/share/shorewall-perl/Shorewall/Ports.pm -# -# Where: -# -# is the directory where the 'protocols' and 'services' files are -# located. If not specified, /etc is assumed. -# -use strict; -use lib '/usr/share/shorewall-perl'; -use Shorewall::Config qw( open_file - push_open - pop_open - read_a_line1 - split_line - fatal_error - %globals - ensure_config_path - set_shorewall_dir - set_config_path ); - -our $offset = "\t\t "; - -our %service_hash; - -sub print_it( $$ ) { - my ( $name, $number ) = @_; - my $tabs; - my $length = length $name; - - if ( $name =~ /\W/ || $name =~ /^\d/ ) { - my $repeat = int ( ( 27 - $length ) / 8 ); - $tabs = $repeat > 0 ? "\t" x $repeat : ' '; - print "${offset}'${name}'${tabs}=> $number,\n"; - } else { - my $repeat = int ( ( 29 - $length ) / 8 ); - $tabs = $repeat > 0 ? "\t" x $repeat : ' '; - print "${offset}${name}${tabs}=> $number,\n"; - } -} - -sub print_service( $$ ) { - my ( $service, $number ) = @_; - - unless ( exists $service_hash{$service} ) { - print_it( $service, $number ); - $service_hash{$service} = $number; - } -} -# -# E x e c u t i o n B e g i n s H e r e -# -set_config_path( '/etc' ); - -our $dir = $ARGV[0] || '/etc'; - -$dir =~ s|/+$|| unless $dir eq '/'; -# -# Open the files before we do anything else -# -open_file "$dir/services" or fatal_error "$dir/services is empty"; - -push_open "$dir/protocols" or fatal_error "$dir/protocols is empty"; - -our $date = localtime; - -print <<"EOF"; -# -# Shorewall-perl 4.0 -- /usr/share/shorewall-perl/Shorewall/Ports.pm -# -# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] -# -# (c) 2007 - Tom Eastep (teastep\@shorewall.net) -# -# Complete documentation is available at http://shorewall.net -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of Version 2 of the GNU General Public License -# as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# This module exports the %protocols and %services hashes built from -# /etc/protocols and /etc/services respectively. -# -# Module generated using buildports.pl $globals{VERSION} - $date -# -EOF - -print <<'EOF'; -package Shorewall::Ports; - -use strict; -use warnings; - -our @ISA = qw(Exporter); -our @EXPORT = qw( %protocols %services ); -our @EXPORT_OK = qw(); -EOF - -print "our \$VERSION = '$globals{VERSION}';\n"; - -print <<'EOF'; -our %protocols = ( -EOF - -while ( read_a_line1 ) { - my ( $proto1, $number, @aliases ) = split_line( 2, 10, '/etc/protocols entry'); - - print_it( $proto1, $number ); - - for my $alias ( @aliases ) { - last if $alias eq '-'; - print_it( $alias, $number ); - } -} - -pop_open; - -print "\t\t );\n\n"; - -print "our %services = (\n"; - -while ( read_a_line1 ) { - my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry'); - - my ( $number, $proto ) = split '/', $proto_number; - - next unless $proto && ($proto eq 'tcp' || $proto eq 'udp'); - - print_service( $name1 , $number ); - - while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) { - print_service ($name1, $number ); - } -} - -print "\t\t );\n\n1;\n"; diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index 4fa2f5e81..47e31dc8b 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { @@ -31,7 +31,6 @@ usage() # $1 = exit status echo " $ME -v" echo " $ME -h" echo " $ME -n" - echo " $ME -n -P" exit $1 } @@ -111,7 +110,6 @@ if [ -z "$GROUP" ] ; then fi NOBACKUP= -INSTALL_PORTS_PM=Yes while [ $# -gt 0 ] ; do case "$1" in @@ -125,9 +123,6 @@ while [ $# -gt 0 ] ; do -n) NOBACKUP=Yes ;; - -P) - INSTALL_PORTS_PM= - ;; *) usage 1 ;; @@ -190,20 +185,6 @@ for f in prog.* ; do echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall-perl/$f" done -# -# Install buildports.pl and create Shorewall::Ports -# -install_file buildports.pl ${PREFIX}/usr/share/shorewall-perl/buildports.pl 0755 - -if [ -n "$INSTALL_PORTS_PM" ]; then - if ./buildports.pl > ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm; then - chmod 0644 ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm - else - echo "The buildports.pl tool failed -- installing the fallback Protocol/Ports Module" - cp -a ${PREFIX}/usr/share/shorewall-perl/Shorewall/FallbackPorts.pm ${PREFIX}/usr/share/shorewall-perl/Shorewall/Ports.pm - fi -fi - echo $VERSION > ${PREFIX}/usr/share/shorewall-perl/version # # Report Success diff --git a/Shorewall-perl/prog.footer b/Shorewall-perl/prog.footer index e068879ac..6247eba41 100644 --- a/Shorewall-perl/prog.footer +++ b/Shorewall-perl/prog.footer @@ -11,9 +11,14 @@ usage() { # # Start trace if first arg is "debug" or "trace" # -if [ $# -gt 1 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then - set -x - shift +if [ $# -gt 1 ]; then + if [ "x$1" = "xtrace" ]; then + set -x + shift + elif [ "x$1" = "xdebug" ]; then + DEBUG=Yes + shift + fi fi initialize diff --git a/Shorewall-perl/prog.functions b/Shorewall-perl/prog.functions index 3f9b874f0..7bf908c1a 100644 --- a/Shorewall-perl/prog.functions +++ b/Shorewall-perl/prog.functions @@ -81,13 +81,7 @@ startup_error() # $* = Error Message # run_iptables() { - if [ -n "$COMMENT" ]; then - $IPTABLES $@ -m comment --comment "$COMMENT" - else - $IPTABLES $@ - fi - - if [ $? -ne 0 ]; then + if ! $IPTABLES $@; then error_message "ERROR: Command \"$IPTABLES $@\" Failed" stop_firewall exit 2 @@ -149,3 +143,87 @@ get_all_bcasts() { ip -f inet addr show 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u } + +# +# Run the .iptables_restore_input as a set of discrete iptables commands +# +debug_restore_input() { + local first second rest table chain + # + # Clear the ruleset + # + qt $IPTABLES -t mangle -F + qt $IPTABLES -t mangle -X + + for chain in PREROUTING INPUT FORWARD POSTROUTING; do + qt $IPTABLES -t mangle -P $chain ACCEPT + done + + qt $IPTABLES -t raw -F + qt $IPTABLES -t raw -X + + for chain in PREROUTING OUTPUT; do + qt $IPTABLES -t raw -P $chain ACCEPT + done + + run_iptables -t nat -F + run_iptables -t nat -X + + for chain in PREROUTING POSTROUTING OUTPUT; do + qt $IPTABLES -t nat -P $chain ACCEPT + done + + qt $IPTABLES -t filter -F + qt $IPTABLES -t filter -X + + for chain in INPUT FORWARD OUTPUT; do + qt $IPTABLES -t filter -P $chain -P ACCEPT + done + + while read first second rest; do + case $first in + -*) + # + # We can't call run_iptables() here because the rules may contain quoted strings + # + eval $IPTABLES -t $table $first $second $rest + + if [ $? -ne 0 ]; then + error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed" + stop_firewall + exit 2 + fi + ;; + :*) + chain=${first#:} + + if [ "x$second" = x- ]; then + $IPTABLES -t $table -N $chain + else + $IPTABLES -t $table -P $chain $second + fi + + if [ $? -ne 0 ]; then + error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed" + stop_firewall + exit 2 + fi + ;; + # + # This grotesque hack with the table names works around a bug/feature with ash + # + '*'raw) + table=raw + ;; + '*'mangle) + table=mangle + ;; + '*'nat) + table=nat + ;; + '*'filter) + table=filter + ;; + esac + done +} diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index 7fc814caa..0428b17a5 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.0.4 +%define version 4.0.5 %define release 1 Summary: Shoreline Firewall Perl-based compiler. @@ -37,7 +37,7 @@ execution than the legacy shorewall-shell compiler. export PREFIX=$RPM_BUILD_ROOT ; \ export OWNER=`id -n -u` ; \ export GROUP=`id -n -g` ;\ -./install.sh -n -P +./install.sh -n %clean rm -rf $RPM_BUILD_ROOT @@ -46,13 +46,6 @@ rm -rf $RPM_BUILD_ROOT %post -if /usr/share/shorewall-perl/buildports.pl > /usr/share/shorewall-perl/Shorewall/Ports.pm; then - chmod 0644 /usr/share/shorewall-perl/Shorewall/Ports.pm -else - echo "The buildports.pl tool failed -- installing the fallback Protocol/Ports Module" - cp -a /usr/share/shorewall-perl/Shorewall/FallbackPorts.pm /usr/share/shorewall-perl/Shorewall/Ports.pm -fi - %preun %files @@ -61,7 +54,6 @@ fi %attr(0755,root,root) %dir /usr/share/shorewall-perl %attr(0755,root,root) %dir /usr/share/shorewall-perl/Shorewall -%attr(755,root,root) /usr/share/shorewall-perl/buildports.pl %attr(755,root,root) /usr/share/shorewall-perl/compiler.pl %attr(0644,root,root) /usr/share/shorewall-perl/prog.header %attr(0644,root,root) /usr/share/shorewall-perl/prog.functions @@ -72,6 +64,8 @@ fi %doc COPYING releasenotes.txt %changelog +* Tue Oct 03 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.4-1 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/README.txt b/Shorewall-shell/README.txt index 1edbac993..342969c96 100644 --- a/Shorewall-shell/README.txt +++ b/Shorewall-shell/README.txt @@ -1 +1 @@ -This is the Shorewall-shell Development 4.0 branch of SVN. +This is the Shorewall-shell Stable 4.0 branch of SVN. diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index 0216e59d5..91aa6f772 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -5415,6 +5415,7 @@ f=\$(find_file ipsets) if [ -f \$f ]; then progress_message2 "Restoring IPSETS..." ipset -U :all: :all: + ipset -U :all: :default: ipset -F ipset -X ipset -R < \$f @@ -5740,9 +5741,9 @@ usage() { # E X E C U T I O N B E G I N S H E R E # # -# Start trace if first arg is "debug" +# Start trace if first arg is "debug" or "trace" # -[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } +[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; } NOLOCK= diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index 6a0165af8..968c582b0 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.0.4 +VERSION=4.0.5 usage() # $1 = exit status { diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index f335bf07c..e4bbd52c5 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,5 +1,5 @@ %define name shorewall-shell -%define version 4.0.4 +%define version 4.0.5 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -81,6 +81,8 @@ fi %doc COPYING INSTALL %changelog +* Tue Oct 03 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.5-1 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.4-1 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net