Don't use "-m multiport" if port lists don't have more than one element.

Clarify comments on the MULTIPORT option in shorewall.conf.
Update versions to 1.3.2.
Update release notes and change log.


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@51 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,12 +1,9 @@
 Changes since 1.3.0
 
-1. Corrected policy handling for "all z CONTINUE" policies.
-2. Corrected problems with "-" as LOGLEVEL in the policy file.
-3. Added /etc/shorewall/rfc1918 file for defining the behavior of the
-   'norfc1918' interface option.
-4. Avoided forwarding rules between zones on the same interface when 'multi'
-   isn't specified on that interface.
-
+1. Corrected double-counting of SYN packets.
+2. Added IANA reserved addresses to the rfc1918 file.
+3. Added MULTIPORT support.
+4. Added "logwatch" command to /sbin/shorewall.
 
 
 

Shorewall/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of 
 #       Shoreline Firewall.
 
-VERSION=1.3.1
+VERSION=1.3.2
 
 usage() # $1 = exit status
 {

Shorewall/firewall

@@ -1515,13 +1515,15 @@ process_rule() {
         case $proto in
 	    tcp|udp|TCP|UDP|6|17)
 	    	if [ -n "$port" -a "x${port}" != "x-" ]; then
+		    [ `list_count $port` -gt 1 ] && \
+			multiport="$multioption"
 		    dports="--dport $port"
-		    multiport="$multioption"
 	        fi
 
 		if [ -n "$cport" -a "x${cport}" != "x-" ]; then
+		    [ `list_count $cport` -gt 1 ] && \
+			multiport="$multioption"
 		    sports="--sport $cport"
-		    multiport="$multioption"
 		fi
 		;;
 	    icmp|ICMP|0)

Shorewall/install.sh

@@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
 
-VERSION=1.3.1
+VERSION=1.3.2
 
 usage() # $1 = exit status
 {

Shorewall/releasenotes.txt

@@ -2,13 +2,12 @@ This is a minor release of Shorewall.
 
 In this release:
 
-1. The handling of "all z CONTINUE" policies has been corrected. Use of
-   these policies greatly simplifies whitelisting and other nested zone
-   configuration.
+1. A new "logwatch" command has been added to the /sbin/shorewall program.
+
+2. Shorewall can now take advantage of the Netfilter 'multiport' match
+   function. 
    
-2. Added an /etc/shorewall/rfc1918 configuration file for defining the
-   behavior of the 'norfc1918' interface option.
-
+3.
 
 
 

Shorewall/shorewall.conf

@@ -213,11 +213,15 @@ NAT_BEFORE_RULES=Yes
 # If your kernel supports the multiport match option, you may enable it's use
 # here. When this option is enabled by setting it's value to "Yes" or "yes":
 #
-#	1) You may not list more that 15 ports in a comma-seperated list in
-#	   /etc/shorewall/rules.
+#	1) If you list more that 15 ports in a comma-seperated list in
+#	   /etc/shorewall/rules, Shorewall will not use the multiport option
+#	   but will generate a separate rule for each element of each port
+#	   list.
 #	2) If you include a port range (<low port>:<high port>) in the
 #	   rule, Shorewall will not use the multiport option but will generate
 #	   a separate rule for each element of each port list.
+#
+# if this variable is not set or is set to the empty value, "No" is assumed.
 
 MULTIPORT=No
 

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 1.3
-%define release 1
+%define release 2
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -78,6 +78,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Sun Jun 02 2002 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.3.1
 * Fri May 31 2002 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.3.1
 - Added the rfc1918 file

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=1.3.1
+VERSION=1.3.2
 
 usage() # $1 = exit status
 {