1.4.10 RC2 and fixes for broadcast rejects, ratelimiting and CONTINUE rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1092 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=1.4.10-RC1
+VERSION=1.4.10-RC2
 
 usage() # $1 = exit status
 {

Shorewall/firewall

@@ -2944,6 +2944,8 @@ process_rule() # $1 = target
 
     # Function Body - isolate rate limit
 
+    [ "x$ratelimit" = "x-" ] && ratelimit=
+
     if [ -z "$ratelimit" ]; then
 	if [ "$target" != "${target%<*}" ]; then
 	    ratelimit="${target#*<}"
@@ -2955,9 +2957,6 @@ process_rule() # $1 = target
     
     if [ -n "$ratelimit" ]; then
 	case $ratelimit in
-	    -)
-		ratelimit=
-		;;
 	    *:*)
 		ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
 		;;
@@ -2995,7 +2994,11 @@ process_rule() # $1 = target
 	case "$userset" in
 	    *:*)
 		case $target in 
-		    ACCEPT|REJECT|DROP)
+		    ACCEPT)
+			;;
+		    REJECT|DROP)
+			[ -n "$ratelimit" ] && fatal_error \
+			    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 			;;
 		    *)
 			fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
@@ -3021,9 +3024,13 @@ process_rule() # $1 = target
 			target=`accept_chain $userset`
 			;;
 		    DROP)
+			[ -n "$ratelimit" ] && fatal_error \
+			    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 			target=`drop_chain $userset`
 			;;
 		    REJECT)
+			[ -n "$ratelimit" ] && fatal_error \
+			    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 			target=`reject_chain $userset`
 			;;
 		    *)
@@ -3039,8 +3046,15 @@ process_rule() # $1 = target
 	    ACCEPT|LOG)
 		;;
 	    REJECT)
+		[ -n "$ratelimit" ] && fatal_error \
+		    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
 		target=reject
 		;;
+	    CONTINUE)
+		[ -n "$ratelimit" ] && fatal_error \
+		    "Rate Limiting only available with ACCEPT, DNAT[-], REDIRECT[-] and LOG"
+		target=RETURN
+		;;
 	    DNAT)
 		target=ACCEPT
 		address=${address:=detect}
@@ -4433,6 +4447,19 @@ add_common_rules() {
     # Reject Rules
     #
     run_iptables -A reject -p tcp  -j REJECT --reject-with tcp-reset
+    #
+    # Don't respond to broadcasts with an ICMP
+    #
+    qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
+    if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
+	run_iptables -A reject -d 255.255.255.255 -j DROP
+	run_iptables -A reject -d 224.0.0.0/4     -j DROP
+    
+	for address in $(find_broadcasts) ; do
+	    run_iptables -A reject -d $address -j DROP
+	done
+    fi
+
     run_iptables -A reject -p udp  -j REJECT
     #
     # Not all versions of iptables support these so don't complain if they don't work

Shorewall/install.sh

@@ -54,7 +54,7 @@
 #        /etc/rc.d/rc.local file is modified to start the firewall.
 #
 
-VERSION=1.4.10-RC1
+VERSION=1.4.10-RC2
 
 usage() # $1 = exit status
 {

Shorewall/releasenotes.txt

@@ -9,6 +9,8 @@ Problems Corrected since version 1.4.9:
    during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
    specified in /etc/shorewall/shorewall.conf.
 
+3. Shorewall now tried to avoid sending an ICMP response to broadcasts.
+
 Migration Issues:
 
 None.
@@ -45,7 +47,7 @@ New Features:
    /etc/shorewall/interfaces. This option automatically taylors the
    definition of the zone named in the ZONE column to include just
    those hosts that have routes through the interface named in the
-   INTERFACE column. The named interface must be UP prior when
+   INTERFACE column. The named interface must be UP when
    Shorewall is [re]started.
 
    WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 1.4.10
-%define release 0RC1
+%define release 0RC2
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -109,8 +109,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
-* Tue Jan 22 2004 Tom Eastep <tom@shorewall.net>
-- Changed version to 1.4.10
+* Sat Jan 24 2004 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.4.10-RC2
+* Thu Jan 22 2004 Tom Eastep <tom@shorewall.net>
+- Changed version to 1.4.10-RC1
 * Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
 - Changed version to 1.4.9
 * Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=1.4.10-RC1
+VERSION=1.4.10-RC2
 
 usage() # $1 = exit status
 {