Clarify intra-zone changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2559 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-08-24 22:39:19 +00:00 · 2005-08-24 22:39:19 +00:00 · 36590a52ab
commit 36590a52ab
parent 78283799c8
3 changed files with 21 additions and 5 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -11,6 +11,8 @@ Changes in 2.5.3

 5) Make intra-zone policies more rational.

+6) Clear the raw table on stop and [re]start
+
 Changes in 2.5.2

 1) Allow port lists in /etc/sorewall/accounting.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1994,6 +1994,10 @@ stop_firewall() {
 	run_iptables -t mangle -F && \
 	run_iptables -t mangle -X

+    [ -n "$RAW_TABLE" ] && \
+	run_iptables -t raw -F && \
+	run_iptables -t raw -X	
+
    [ -n "$NAT_ENABLED" ] && delete_nat
    delete_proxy_arp
    [ -n "$CLEAR_TC" ] && delete_tc1
@ -7011,6 +7015,7 @@ determine_capabilities() {
    XMARK=
    CONNMARK=
    CONNMARK_MATCH=
+    RAW_TABLE=

    qt $IPTABLES -N fooX1234
    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@ -7030,6 +7035,7 @@ determine_capabilities() {
    qt $IPTABLES -t mangle -F fooX1234
    qt $IPTABLES -t mangle -X fooX1234

+    qt $IPTABLES -t raw	   -L -n							&& RAW_TABLE=Yes

    if qt mywhich ipset; then
 	qt ipset -X fooX1234 # Just in case something went wrong the last time
@ -7077,6 +7083,7 @@ report_capabilities() {
    report_capability "Extended MARK Target" $XMARK
    report_capability "CONNMARK Target" $CONNMARK
    report_capability "Connmark Match" $CONNMARK_MATCH
+    report_capability "Raw Table" $RAW_TABLE
 }

 #
@ -7156,6 +7163,10 @@ initialize_netfilter () {
 	run_iptables -t mangle -F && \
 	run_iptables -t mangle -X

+    [ -n "$RAW_TABLE" ] && \
+	run_iptables -t raw -F && \
+	run_iptables -t raw -X
+
    [ -n "$CLEAR_TC" ] && delete_tc

    echo "Deleting user chains..."
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -2,6 +2,9 @@ Shorewall 2.5.3

 Problems Corrected in 2.5.3:

+1)  The Netfilter 'raw' table is now cleared during "shorewall stop",
+    "shorewall [re]start" and "shorewall clear".
+
 New Features in Shorewall 2.5.3

 1)  You may now specify "!" followed by a list of addresses in the
@ -28,14 +31,14 @@ New Features in Shorewall 2.5.3

    /etc/shorewall/rules:

-    DNAT	fw	 loc:192.168.1.4:3128	tcp	80
+    DNAT	loc:!192.168.1.4  loc:192.168.1.4:3128	tcp	80

-    Any other fw->fw traffic will still be accepted. If you want to
-    also log that fw->fw traffic at the info log level then add this to
-    /etc/shorewall/policy:
+    Any other loc->loc traffic will still be accepted. If you want to
+    also log that other loc->loc traffic at the info log level then
+    insert this into /etc/shorewall/policy:

    #SOURCE	DEST	POLICY	LOG LEVEL
-    fw		fw	ACCEPT	info
+    loc		loc	ACCEPT	info

 Problems Corrected in 2.5.2: