forked from extern/shorewall_code
Update trunk with branch/4.2 changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9279 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
48b85c5353
commit
22ebcd8b6a
@ -1,3 +1,44 @@
|
||||
Changes in Shorewall 4.2.5
|
||||
|
||||
1) Add 'fallback' providers option.
|
||||
|
||||
2) Support for xtables-addons IPP2P.
|
||||
|
||||
3) Slow down startup some more by adding more modules and modules
|
||||
search directories.
|
||||
|
||||
4) Fix 'shorewall6 debug start'
|
||||
|
||||
5) Added macro.Git.
|
||||
|
||||
Changes in Shorewall 4.2.4.6
|
||||
|
||||
1) Fix hosts exclusion in DNAT/REDIRECT.
|
||||
|
||||
2) Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
|
||||
|
||||
Changes in Shorewall 4.2.4.5
|
||||
|
||||
1) Fix critical hosts handling in Shorewall6.
|
||||
|
||||
Changes in Shorewall 4.2.4.4
|
||||
|
||||
1) Fix exclusion yet another time.
|
||||
|
||||
Changes in Shorewall 4.2.4.3
|
||||
|
||||
1) Fix exclusion again
|
||||
|
||||
Changes in Shorewall 4.2.4.2
|
||||
|
||||
1) Fix 'refresh'
|
||||
|
||||
Changes in Shorewall 4.2.4.1
|
||||
|
||||
1) Fix 'shorewall6 restore' etc.
|
||||
|
||||
2) Fix init scripts.
|
||||
|
||||
Changes in Shorewall 4.2.4-RC3
|
||||
|
||||
1) Fix exclusion handling with certain hosts options.
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -256,6 +256,7 @@ reload_kernel_modules() {
|
||||
moduledirectories=
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
local uname
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -263,7 +264,11 @@ reload_kernel_modules() {
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
||||
|
||||
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
|
||||
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
uname=$(uname -r) && \
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
|
||||
MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
@ -291,6 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
moduleloader=modprobe
|
||||
local savemoduleinfo
|
||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
local uname
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -299,7 +305,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
||||
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
|
||||
uname=$(uname -r) && \
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
||||
@ -1151,9 +1158,9 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
|
||||
fi
|
||||
|
||||
qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
|
||||
qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
|
||||
if [ -n "$IPP2P_MATCH" ]; then
|
||||
qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
|
||||
qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
|
||||
fi
|
||||
|
||||
qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
||||
@ -1250,7 +1257,7 @@ report_capabilities() {
|
||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
report_capability "IPP2P Match" $IPP2P_MATCH
|
||||
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match" $OLD_IPP2P_MATCH
|
||||
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
|
||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||
report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||
report_capability "Repeat match" $KLUDGEFREE
|
||||
|
@ -39,6 +39,7 @@ loadmodule xt_dscp
|
||||
loadmodule xt_DSCP
|
||||
loadmodule xt_hashlimit
|
||||
loadmodule xt_helper
|
||||
loadmodule xt_ipp2p
|
||||
loadmodule xt_iprange
|
||||
loadmodule xt_length
|
||||
loadmodule xt_limit
|
||||
@ -77,6 +78,20 @@ loadmodule ip_set_ipmap
|
||||
loadmodule ip_set_macipmap
|
||||
loadmodule ip_set_portmap
|
||||
#
|
||||
# Ipset
|
||||
#
|
||||
loadmodule ip_set
|
||||
loadmodule ip_set_iphash
|
||||
loadmodule ip_set_ipmap
|
||||
loadmodule ip_set_ipporthash
|
||||
loadmodule ip_set_iptree
|
||||
loadmodule ip_set_iptreemap
|
||||
loadmodule ip_set_macipmap
|
||||
loadmodule ip_set_nethash
|
||||
loadmodule ip_set_portmap
|
||||
loadmodule ipt_SET
|
||||
loadmodule ipt_set
|
||||
#
|
||||
# 2.6.20+ helpers
|
||||
#
|
||||
loadmodule nf_conntrack_ftp
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 4.2.4 RC3
|
||||
Shorewall 4.2.5
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E 4 . 2 H I G H L I G H T S
|
||||
@ -27,32 +27,51 @@ Shorewall 4.2.4 RC3
|
||||
- Perl 5.10 if you wish to use DNS names in your IPv6 config files.
|
||||
In that case you will also have to install Perl Socket6 support.
|
||||
|
||||
Problems Corrected in 4.2.4 RC3
|
||||
Problems corrected in 4.2.5
|
||||
|
||||
1) Previously, when exclusion was used in an entry in
|
||||
/etc/shorewall/hosts, Shorewall-perl ignored the exclusion when
|
||||
generating rules for the following OPTIONS in that entry:
|
||||
|
||||
blacklist
|
||||
maclist
|
||||
norfc1918
|
||||
tcpflags
|
||||
1) If exclusion is used to define a zone in /etc/shorewall/hosts and
|
||||
that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
|
||||
then Shorewall-perl can generated invalid iptables-restore input.
|
||||
|
||||
2) Shorewall-perl previously promoted all exclusion in the
|
||||
/etc/shorewall/hosts file to the zone level. That meant that
|
||||
all traffic to/from the zone passed through exclusion rules
|
||||
rather than only the traffic matching a hosts records that
|
||||
specified exclusion.
|
||||
2) A bug in the Perl Cwd module (see
|
||||
http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
|
||||
Shorewall-perl compiler to fail if it doesn't have at least read
|
||||
access to its current working directory. 4.2.5 contains a
|
||||
workaround.
|
||||
|
||||
Example /etc/shorewall/hosts:
|
||||
3) If 'critical' was specified on an entry in
|
||||
/etc/shorewall/routestopped, Shorewall6 (Shorewall-perl) would
|
||||
generate an error.
|
||||
|
||||
z eth0:192.168.4.0/24
|
||||
z eth1:10.0.0.0/24!10.0.0.99
|
||||
4) In certain cases where exclusion occurred in /etc/shorewall/hosts,
|
||||
Shorewall-perl would generate incorrect iptables-restore input.
|
||||
|
||||
Traffic entering eth0 from network 192.168.4.0/24 would still
|
||||
be checked for '!10.0.0.99'.
|
||||
5) In certain cases where exclusion occurred in /etc/shorewall/hosts,
|
||||
Shorewall-perl would generate invalid iptables-restore input.
|
||||
|
||||
This has been corrected.
|
||||
6) The 'shorewall6 refresh' command runs iptables_restore rather than
|
||||
ip6tables_restore.
|
||||
|
||||
7) The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
|
||||
'shorewall6 restore' were previously broken.
|
||||
|
||||
8) The Debian init script was checking $startup in
|
||||
/etc/default/shorewall rather than in /etc/default/shorweall6
|
||||
|
||||
9) The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
|
||||
unconverted Shorewall scripts.
|
||||
|
||||
10) When 'detect' is used in the GATEWAY column of
|
||||
/etc/shorewall/providers, Shorewall-perl now ensures that the
|
||||
gateway was successfully detected. If the gateway cannot be
|
||||
detected, action is taken depending on whether the provider is
|
||||
'optional' or not. If the provider is optional, it's configuration
|
||||
is skipped; if the provider is not optional, the current operation
|
||||
is aborted.
|
||||
|
||||
11) The command 'shorewall6 debug start' would previously fail with
|
||||
|
||||
ERROR: Command "/sbin/ip6tables -t nat -F" Failed
|
||||
|
||||
Known Problems Remaiining:
|
||||
|
||||
@ -65,100 +84,74 @@ Known Problems Remaiining:
|
||||
norfc1918
|
||||
tcpflags
|
||||
|
||||
New Features in Shorewall 4.2.4.
|
||||
New Feature in Shorewall 4.2.5
|
||||
|
||||
1) Two new packages are included:
|
||||
1) A new 'fallback' option is added in
|
||||
/etc/shorewall/providers. The option works similar to 'balance'
|
||||
except that the default route is added in the default routing table
|
||||
(253) rather than in the main table (254).
|
||||
|
||||
a) Shorewall6 - analagous to Shorewall-common but handles IPv6
|
||||
rather than IPv4.
|
||||
The option can be used by itself or followed by =<number> (e.g,
|
||||
fallback=2).
|
||||
|
||||
b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
|
||||
rather than IPv4.
|
||||
When the option is used by itself, a separate (not balanced)
|
||||
default route is added with a metric equal to the provider's NUMBER.
|
||||
|
||||
The packages store their configurations in /etc/shorewall6/ and
|
||||
/etc/shorewall6-lite/ respectively.
|
||||
When the option is used with a number, a balanced route is added
|
||||
with the weight set to the specified number.
|
||||
|
||||
The fact that the packages are separate from their IPv4 counterparts
|
||||
means that you control IPv4 and IPv6 traffic separately (the same
|
||||
way that Netfilter does). Starting/Stopping the firewall for one
|
||||
address family has no effect on the other address family.
|
||||
'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
|
||||
is only available with Shorewall-perl.
|
||||
|
||||
For additional information, see
|
||||
http://www.shorewall.net/IPV6Support.html.
|
||||
'fallback' is useful in situations where:
|
||||
|
||||
Other features of Shorewall6 are:
|
||||
- You want all traffic to be sent via one primary provider unless
|
||||
there is a compelling reason to use a different provider
|
||||
|
||||
a) There is no NAT of any kind (most people see this as a giant step
|
||||
forward). When an ISP assigns you a public IPv6 address, you are
|
||||
actually assigned an IPv6 'prefix' which is like an IPv4
|
||||
subnet. A 64-bit prefix allows 4 billion squared individual hosts
|
||||
(the size of the current IPv4 address space squared).
|
||||
- If the primary provider is down, then you want to balance the
|
||||
outgoing traffic among a set of other providers or to a
|
||||
ordered list of providers.
|
||||
|
||||
b) The default zone type is ipv6.
|
||||
In this case:
|
||||
|
||||
c) The currently-supported interface options in Shorewall6 are:
|
||||
- Do not specify 'balance' on any of the providers.
|
||||
- Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
|
||||
- Specify 'fallback' on those providers that you want to use if
|
||||
the primary is down.
|
||||
- Only the primary provider should have a default route in the main
|
||||
routing table.
|
||||
|
||||
blacklist
|
||||
bridge
|
||||
dhcp
|
||||
nosmurfs (traps multicast and Subnet-router anycast addresses
|
||||
used as the packet source address).
|
||||
optional
|
||||
routeback
|
||||
sourceroute
|
||||
tcpflags
|
||||
mss
|
||||
forward (setting it to 0 makes the router behave like a host
|
||||
on that interface rather than like a router).
|
||||
See http://www.shorewall.net/MultiISP.html#Complete for an example
|
||||
of this option's use.
|
||||
|
||||
d) The currently-supported host options in Shorewall6 are:
|
||||
2) Shorewall-perl now transparently handles the xtables-addon version
|
||||
of ipp2p. Shorewall detects whether the installed ipp2p is from
|
||||
patch-o-matic-ng or from xtables-addon and proceeds accordingly.
|
||||
|
||||
blacklist
|
||||
routeback
|
||||
tcpflags
|
||||
If the patch-o-matic-ng version is installed:
|
||||
|
||||
e) Traffic Shaping is disabled by default. The tcdevices and
|
||||
tcclasses files are address-family independent so
|
||||
to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal
|
||||
should be specified in Shorewall or in Shorewall6 but not in
|
||||
both. In the configuration where the internal traffic shaper is
|
||||
not enabled, CLEAR_TC=No should be specified.
|
||||
a) If no DEST PORT is supplied, the default is "--ipp2p".
|
||||
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
|
||||
iptables-restore as "--ipp2p".
|
||||
|
||||
tcfilters are not available in Shorewall6.
|
||||
If the xtables-addons version is installed:
|
||||
|
||||
f) When both an interface and an address or address list need to
|
||||
be specified in a rule, the address or list must be enclosed in
|
||||
angle brackets. Example:
|
||||
a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
|
||||
--kazaa".
|
||||
b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
|
||||
iptables-restore as "--edk --gnu --dc --kazaa".
|
||||
|
||||
#ACTION SOURCE DEST
|
||||
ACCEPT net:eth0:<2001:19f0:feee::dead:beef:cafe> dmz
|
||||
Shorewall-perl now also accepts a comma-separated list of options
|
||||
(e.g., "edk,gnu,dc,kazaa).
|
||||
|
||||
Note that this includes MAC addresses as well as IPv6 addresses.
|
||||
Additionally, Shorewall now looks for modules in /lib/modules/$(uname
|
||||
-r)/extra and in /lib/modules/$(uname -r)/extra/ipset
|
||||
|
||||
The HOSTS column in /etc/shorewall6/hosts also uses this
|
||||
convention:
|
||||
This change introduced a new capability ("Old IPP2P Match Syntax")
|
||||
so if you use a capabilities file, be sure to re-generate the
|
||||
file(s) after you have installed 4.2.5.
|
||||
|
||||
#ZONE HOSTS OPTIONS
|
||||
chat6 eth0:<2001:19f0:feee::dead:beef:cafe>
|
||||
|
||||
Even when an interface is not specified, it is permitted to
|
||||
enclose addresses in <> to improve readability. Example:
|
||||
|
||||
#ACTION SOURCE DEST
|
||||
ACCEPT net:<2001:1::1> $FW
|
||||
|
||||
g) The options available in shorewall6.conf are a subset of those
|
||||
available in shorewall.conf.
|
||||
|
||||
h) The Socket6.pm Perl module is required if you include DNS names
|
||||
in your Shorewall6 configuration. Note that it is loaded the
|
||||
first time that a DNS name is encountered so if it is missing,
|
||||
you get a message similar to this one:
|
||||
|
||||
...
|
||||
Checking /etc/shorewall6/rules...
|
||||
Can't locate Socket6.pm in @INC (@INC contains: /root ...
|
||||
teastep@ursa:~/Configs/standalone6$
|
||||
3) There is now a macro.Git, which opens git-daemon's port (9418/tcp).
|
||||
|
||||
Migration Issues.
|
||||
|
||||
@ -1307,3 +1300,34 @@ Other changes in Shorewall 4.2.3
|
||||
|
||||
shorewall reset chain1 chain2 ...
|
||||
shorewall-lite reset chain1 chain2 ...
|
||||
|
||||
Problems Corrected in 4.2.4
|
||||
|
||||
1) Previously, when exclusion was used in an entry in
|
||||
/etc/shorewall/hosts, Shorewall-perl ignored the exclusion when
|
||||
generating rules for the following OPTIONS in that entry:
|
||||
|
||||
blacklist
|
||||
maclist
|
||||
norfc1918
|
||||
tcpflags
|
||||
|
||||
2) Shorewall-perl previously promoted all exclusion in the
|
||||
/etc/shorewall/hosts file to the zone level. That meant that
|
||||
all traffic to/from the zone passed through exclusion rules
|
||||
rather than only the traffic matching a hosts records that
|
||||
specified exclusion.
|
||||
|
||||
Example /etc/shorewall/hosts:
|
||||
|
||||
z eth0:192.168.4.0/24
|
||||
z eth1:10.0.0.0/24!10.0.0.99
|
||||
|
||||
Traffic entering eth0 from network 192.168.4.0/24 would still
|
||||
be checked for '!10.0.0.99'.
|
||||
|
||||
This has been corrected.
|
||||
|
||||
Other changes in 4.2.4
|
||||
|
||||
1) Support for IPv6 was added -- see above.
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-common
|
||||
%define version 4.2.4
|
||||
%define release 0RC3
|
||||
%define version 4.2.5
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -175,8 +175,10 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
|
||||
|
||||
%changelog
|
||||
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC3
|
||||
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.5-0base
|
||||
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0base
|
||||
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC2
|
||||
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.2.4
|
||||
%define release 0RC3
|
||||
%define version 4.2.5
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -98,26 +98,14 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC3
|
||||
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC2
|
||||
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC1
|
||||
* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.4-0base
|
||||
* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.3-0base
|
||||
* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.2-0base
|
||||
* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.1-0base
|
||||
* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.1-0base
|
||||
* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.0-0base
|
||||
* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 2.3.0-0base
|
||||
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.5-0base
|
||||
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0base
|
||||
* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.3-0base
|
||||
* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.2-0base
|
||||
* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.1-0base
|
||||
* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -240,6 +240,9 @@ our %interfacebcasts;
|
||||
our %interfaceacasts;
|
||||
our %interfacegateways;
|
||||
|
||||
#
|
||||
# Built-in Chains
|
||||
#
|
||||
our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
|
||||
|
||||
#
|
||||
@ -278,6 +281,8 @@ our %builtin_target = ( ACCEPT => 1,
|
||||
#
|
||||
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
|
||||
%chain_table = ( raw => {} ,
|
||||
mangle => {},
|
||||
nat => {},
|
||||
@ -325,7 +330,6 @@ sub initialize( $ ) {
|
||||
%interfaceacasts = ();
|
||||
%interfacegateways = ();
|
||||
|
||||
$family = shift;
|
||||
}
|
||||
|
||||
INIT {
|
||||
@ -1039,17 +1043,17 @@ sub finish_chain_section ($$) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||
if ( $section eq 'DONE' ) {
|
||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
} else {
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
my $policychainref = $filter_table->{$chainref->{policychain}};
|
||||
if ( $policychainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1063,9 +1067,7 @@ sub finish_chain_section ($$) {
|
||||
sub finish_section ( $ ) {
|
||||
my $sections = $_[0];
|
||||
|
||||
for my $section ( split /,/, $sections ) {
|
||||
$sections{$section} = 1;
|
||||
}
|
||||
$sections{$_} = 1 for split /,/, $sections;
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
@ -1292,11 +1294,11 @@ sub do_proto( $$$ )
|
||||
|
||||
my $options = '';
|
||||
|
||||
if ( $ports ) {
|
||||
$options .= " --$_" for split /,/, $ports;
|
||||
} else {
|
||||
$options = $capabilities{OLD_IPP2P_MATCH} ? '--ipp2p' : '--edk --kazza --gnu --dc';
|
||||
if ( $ports ne 'ipp2p' ) {
|
||||
$options .= " --$_" for split /,/, $ports;
|
||||
}
|
||||
|
||||
$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
|
||||
|
||||
$output .= "${proto}-m ipp2p${options} ";
|
||||
} else {
|
||||
|
@ -940,7 +940,7 @@ sub compiler {
|
||||
initialize_chain_table;
|
||||
|
||||
unless ( $command eq 'check' ) {
|
||||
create_temp_object( $objectfile );
|
||||
create_temp_object( $objectfile , $export );
|
||||
generate_script_1;
|
||||
}
|
||||
|
||||
|
@ -202,6 +202,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
XCONNMARK_MATCH => 'Extended Connmark Match',
|
||||
RAW_TABLE => 'Raw Table',
|
||||
IPP2P_MATCH => 'IPP2P Match',
|
||||
OLD_IPP2P_MATCH => 'Old IPP2P Match Syntax',
|
||||
CLASSIFY_TARGET => 'CLASSIFY Target',
|
||||
ENHANCED_REJECT => 'Extended Reject',
|
||||
KLUDGEFREE => 'Repeat match',
|
||||
@ -299,13 +300,16 @@ sub initialize( $ ) {
|
||||
LOGPARMS => '',
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
VERSION => "4.2.4",
|
||||
VERSION => "4.2.5",
|
||||
CAPVERSION => 40205 ,
|
||||
);
|
||||
|
||||
#
|
||||
# From shorewall.conf file
|
||||
#
|
||||
if ( $family == F_IPV4 ) {
|
||||
$globals{PRODUCT} = 'shorewall';
|
||||
|
||||
%config =
|
||||
( STARTUP_ENABLED => undef,
|
||||
VERBOSITY => undef,
|
||||
@ -425,8 +429,9 @@ sub initialize( $ ) {
|
||||
NFLOG => 'NFLOG');
|
||||
} else {
|
||||
$globals{SHAREDIR} = '/usr/share/shorewall6';
|
||||
$globals{CONFDIR} = '/etc/shorewall6';
|
||||
|
||||
$globals{CONFDIR} = '/etc/shorewall6';
|
||||
$globals{PRODUCT} = 'shorewall6';
|
||||
|
||||
%config =
|
||||
( STARTUP_ENABLED => undef,
|
||||
VERBOSITY => undef,
|
||||
@ -977,8 +982,8 @@ sub copy1( $ ) {
|
||||
# Create the temporary object file -- the passed file name is the name of the final file.
|
||||
# We create a temporary file in the same directory so that we can use rename to finalize it.
|
||||
#
|
||||
sub create_temp_object( $ ) {
|
||||
my $objectfile = $_[0];
|
||||
sub create_temp_object( $$ ) {
|
||||
my ( $objectfile, $export ) = @_;
|
||||
my $suffix;
|
||||
|
||||
eval {
|
||||
@ -993,10 +998,10 @@ sub create_temp_object( $ ) {
|
||||
fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
|
||||
fatal_error "$objectfile is a Directory" if -d _;
|
||||
fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
|
||||
fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq '';
|
||||
fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq '';
|
||||
|
||||
eval {
|
||||
$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385
|
||||
$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
|
||||
( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
|
||||
};
|
||||
|
||||
@ -1029,7 +1034,6 @@ sub create_temp_aux_config() {
|
||||
};
|
||||
|
||||
die if $@;
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -1641,7 +1645,7 @@ sub load_kernel_modules( ) {
|
||||
my $uname = `uname -r`;
|
||||
fatal_error "The command 'uname -r' failed" unless $? == 0;
|
||||
chomp $uname;
|
||||
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter";
|
||||
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
|
||||
}
|
||||
|
||||
my @moduledirectories = split /:/, $modulesdir;
|
||||
|
@ -219,8 +219,11 @@ sub balance_fallback_route( $$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
sub start_provider( $$ ) {
|
||||
my ($table, $number ) = @_;
|
||||
sub start_provider( $$$ ) {
|
||||
my ($table, $number, $test ) = @_;
|
||||
|
||||
emit $test;
|
||||
push_indent;
|
||||
|
||||
emit "#\n# Add Provider $table ($number)\n#";
|
||||
|
||||
@ -263,13 +266,9 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
|
||||
$gateway = get_interface_gateway $interface;
|
||||
emit qq(if interface_is_usable $interface && [ -n "$gateway" ]; then);
|
||||
push_indent;
|
||||
start_provider( $table, $number );
|
||||
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
|
||||
} else {
|
||||
emit "if interface_is_usable $interface; then";
|
||||
push_indent;
|
||||
start_provider( $table, $number );
|
||||
start_provider( $table, $number, "if interface_is_usable $interface; then" );
|
||||
|
||||
if ( $gateway && $gateway ne '-' ) {
|
||||
validate_address $gateway, 0;
|
||||
@ -279,6 +278,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
emit "run_ip route add default dev $interface table $number";
|
||||
}
|
||||
}
|
||||
|
||||
my $val = 0;
|
||||
|
||||
if ( $mark ne '-' ) {
|
||||
@ -337,13 +337,14 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
|
||||
} else {
|
||||
$default = $1;
|
||||
fatal_error 'fallback must be non-zero' unless $default;
|
||||
}
|
||||
} elsif ( $option eq 'fallback' ) {
|
||||
fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
|
||||
if ( $config{USE_DEFAULT_RT} ) {
|
||||
warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
|
||||
} else {
|
||||
$default = 1;
|
||||
$default = -1;
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid option ($option)";
|
||||
@ -409,7 +410,19 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
}
|
||||
|
||||
balance_default_route $balance , $gateway, $interface, $realm if $balance;
|
||||
balance_fallback_route $default , $gateway, $interface, $realm if $default;
|
||||
|
||||
if ( $default > 0 ) {
|
||||
balance_fallback_route $default , $gateway, $interface, $realm;
|
||||
} elsif ( $default ) {
|
||||
emit '';
|
||||
if ( $gateway ) {
|
||||
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
||||
emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
} else {
|
||||
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
|
||||
emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
|
||||
}
|
||||
}
|
||||
|
||||
if ( $loose ) {
|
||||
if ( $config{DELETE_THEN_ADD} ) {
|
||||
|
@ -71,10 +71,9 @@ sub setup_tunnels() {
|
||||
add_rule $outchainref, "-p 51 $dest -j ACCEPT";
|
||||
}
|
||||
|
||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||
|
||||
if ( $kind eq 'ipsec' ) {
|
||||
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
||||
add_rule $inchainref, "-p udp $source --dport 500 $options";
|
||||
add_rule $outchainref, "-p udp $dest --dport 500 $options";
|
||||
} else {
|
||||
add_rule $inchainref, "-p udp $source -m multiport --dports 500,4500 $options";
|
||||
add_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
|
||||
|
@ -93,7 +93,7 @@ use constant { NOTHING => 'NOTHING',
|
||||
# }
|
||||
# parents => [ <parents> ] Parents, Children and interfaces are listed by name
|
||||
# children => [ <children> ]
|
||||
# interfaces => [ <interfaces> ]
|
||||
# interfaces => { <interfaces1> => 1, ... }
|
||||
# bridge => <bridge>
|
||||
# hosts { <type> } => [ { <interface1> => { ipsec => 'ipsec'|'none'
|
||||
# options => { <option1> => <value1>
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -178,13 +178,6 @@ debug_restore_input() {
|
||||
qt1 $IP6TABLES -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
for chain in PREROUTING POSTROUTING OUTPUT; do
|
||||
qt1 $IP6TABLES -t nat -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $IP6TABLES -t filter -F
|
||||
qt1 $IP6TABLES -t filter -X
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 1999-2008 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Options are:
|
||||
#
|
||||
@ -245,6 +245,7 @@ reload_kernel_modules() {
|
||||
moduledirectories=
|
||||
local moduleloader
|
||||
moduleloader=modprobe
|
||||
local uname
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -252,7 +253,10 @@ reload_kernel_modules() {
|
||||
|
||||
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
||||
|
||||
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
uname=$(uname -r) && \
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
|
||||
MODULES=$(lsmod | cut -d ' ' -f1)
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
@ -280,6 +284,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
moduleloader=modprobe
|
||||
local savemoduleinfo
|
||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||
local uname
|
||||
|
||||
if ! qt mywhich modprobe; then
|
||||
moduleloader=insmod
|
||||
@ -288,7 +293,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
||||
[ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
|
||||
|
||||
[ -z "$MODULESDIR" ] && \
|
||||
MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
|
||||
uname=$(uname -r) && \
|
||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||
|
||||
for directory in $(split $MODULESDIR); do
|
||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 1999-2008 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Options are:
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-perl
|
||||
%define version 4.2.4
|
||||
%define release 0RC3
|
||||
%define version 4.2.5
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall Perl-based compiler.
|
||||
Name: %{name}
|
||||
@ -62,8 +62,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%doc COPYING releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC3
|
||||
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.5-0base
|
||||
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0base
|
||||
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC2
|
||||
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
|
||||
#
|
||||
# (c) 2006 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2006 - 2009 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
#
|
||||
# Options are:
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-shell
|
||||
%define version 4.2.4
|
||||
%define release 0RC3
|
||||
%define version 4.2.5
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -81,8 +81,10 @@ fi
|
||||
%doc COPYING INSTALL
|
||||
|
||||
%changelog
|
||||
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC3
|
||||
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.5-0base
|
||||
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0base
|
||||
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC2
|
||||
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -41,7 +41,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
# description: Packet filtering firewall
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: shorewall6-lite
|
||||
# Provides: shorewall6
|
||||
# Required-Start: $network
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 5
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6-lite
|
||||
%define version 4.2.4
|
||||
%define release 0RC3
|
||||
%define version 4.2.5
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -89,8 +89,10 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC3
|
||||
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.5-0base
|
||||
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0base
|
||||
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0RC2
|
||||
* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40300
|
||||
SHOREWALL_CAPVERSION=40203
|
||||
SHOREWALL_CAPVERSION=40205
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
@ -716,6 +716,7 @@ determine_capabilities() {
|
||||
XCONNMARK_MATCH=
|
||||
RAW_TABLE=
|
||||
IPP2P_MATCH=
|
||||
OLD_IPP2P_MATCH=
|
||||
LENGTH_MATCH=
|
||||
CLASSIFY_TARGET=
|
||||
ENHANCED_REJECT=
|
||||
@ -803,8 +804,12 @@ determine_capabilities() {
|
||||
qt $IP6TABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
|
||||
fi
|
||||
|
||||
qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
|
||||
if [ -n "$IPP2P_MATCH" ]; then
|
||||
qt $IP6TABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
|
||||
fi
|
||||
|
||||
qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
||||
qt $IP6TABLES -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes
|
||||
|
||||
qt $IP6TABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
|
||||
@ -897,6 +902,7 @@ report_capabilities() {
|
||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
report_capability "IPP2P Match" $IPP2P_MATCH
|
||||
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
|
||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||
report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||
report_capability "Repeat match" $KLUDGEFREE
|
||||
@ -949,6 +955,7 @@ report_capabilities1() {
|
||||
report_capability1 XCONNMARK_MATCH
|
||||
report_capability1 RAW_TABLE
|
||||
report_capability1 IPP2P_MATCH
|
||||
report_capability1 OLD_IPP2P_MATCH
|
||||
report_capability1 CLASSIFY_TARGET
|
||||
report_capability1 ENHANCED_REJECT
|
||||
report_capability1 KLUDGEFREE
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall6
|
||||
%define version 4.2.4
|
||||
%define version 4.2.5
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||
@ -140,6 +140,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||
|
||||
%changelog
|
||||
* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.5-0base
|
||||
* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.2.4-0base
|
||||
* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.2.4-RC3
|
||||
VERSION=4.2.5
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user