holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add missing ! logic

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5445 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-02-26 16:48:24 +00:00
parent b74346533b
commit 423610a24d
3 changed files with 18 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 3.4.0 Final
1) Add missing logic for "!" rules.
Changes in 3.4.0 RC 3 Changes in 3.4.0 RC 3
1) Add warning about 'loose' and 'balance' 1) Add warning about 'loose' and 'balance'

12
Shorewall/compiler
View File

@ -2526,7 +2526,7 @@ process_macro() # $1 = target
# #
process_rules() process_rules()
{ {
local comment= local comment= optimize
# #
# Process a rule where the source or destination is "all" # Process a rule where the source or destination is "all"
# #
@ -2541,7 +2541,7 @@ process_rules()
if [ "${ysourcezone}" != "${ydestzone}" -o "$2" = Yes ] ; then if [ "${ysourcezone}" != "${ydestzone}" -o "$2" = Yes ] ; then
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
if [ "$ypolicy" != NONE ]; then if [ "$ypolicy" != NONE ]; then
if [ $OPTIMIZE -gt 0 ]; then if [ $optimize -gt 0 ]; then
eval yloglevel=\$${ysourcezone}2${ydestzone}_loglevel eval yloglevel=\$${ysourcezone}2${ydestzone}_loglevel
if [ -n "$yloglevel" ]; then if [ -n "$yloglevel" ]; then
if [ x$ypolicy:$yloglevel = x$xtarget ]; then if [ x$ypolicy:$yloglevel = x$xtarget ]; then
@ -2633,8 +2633,14 @@ process_rules()
continue continue
fi fi
optimize=$OPTIMIZE;
case "${xtarget%%:*}" in case "${xtarget%%:*}" in
ACCEPT|ACCEPT+|ACCEPT!|NONAT|DROP|DROP!|REJECT|REJECT!|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-) ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
do_it No
;;
ACCEPT!|DROP!REJECT!|QUEUE!|CONTINUE!)
optimize=0
do_it No do_it No
;; ;;
COMMENT) COMMENT)

34
Shorewall/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.4.0 RC3 Shorewall 3.4.0
Release Highlights Release Highlights
@ -28,35 +28,11 @@ Release Highlights
/etc/shorewall/route_rules and reverses those changes when /etc/shorewall/route_rules and reverses those changes when
appropriate. appropriate.
Problems Corrected in 3.4.0 RC3 Problems Corrected in 3.4.0 Final.
1) The route_rules file was being ignored. This has been corrected. 1) In the rules file, following the action with "!" is supposed to
exempt the rule from being suppressed by OPTIMIZE=Yes. That feature
2) If an IP range was specified in a 'drop' or 'reject' command was not working.
(including the logging forms) and a 'shorewall save' was performed,
then the next time that Shorewall was restarted, new connections
from outside the firewall were totally blocked.
3) If a 'start' or restart' command failed during the compile phase,
/sbin/shorewall erroneously returned an exit status of 0.
4) If IMPLICIT_CONTINUE=Yes was in effect, then sub-zones received the
implicit CONTINUE policy for their intra-zone traffic (rather than
the implicit ACCEPT policy for such traffic). This could cause
intra-zone traffic to be rejected by rules for one of the
parent zones.
Other Changes in 3.4.0 RC3
1) A warning is now issued when 'loose' and 'balance' are specified together
for a provider. This combination of options can lead to packets being
dropped as 'martians'.
2) If the 'setkey' program is installed, then the IPSEC SPD and SAD
are displayed in the output of "shorewall[-lite] dump. All key
information (E: and A: lines) is suppressed in the command output
so that the output of "dump" cannot be used to breach IPSEC
security.
Migration Considerations: Migration Considerations: