From 429b6924dec57e003bf815d80db73a481877a06d Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 6 Apr 2004 22:11:11 +0000 Subject: [PATCH] Reformat the code in define_firewall() git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1251 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 40 +--------------- Shorewall2/firewall | 72 ++++++---------------------- Shorewall2/releasenotes.txt | 95 ++----------------------------------- 3 files changed, 22 insertions(+), 185 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 666c63b2d..e9f4022a7 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -1,40 +1,4 @@ -Changes since 2.0.0 +Changes since 2.0.1 -1) Eliminate Warning about Policy as rule when using actions. +1) Reformat the code in define_firewall(). -2) Add bridging Code. - -3) Cleanup Warning elimination. - -4) Add 'nobogons' - -5) Add 'netmap' - -6) Fix another _frwd problem. - -7) Add -x option to /sbin/shorewall. - -8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC. - -9) Improve zone-definition checking. - -10) Add additional options to hosts file - -11) Replace 'subnet' with 'network' in the code - -12) Fix item 10 above :-( - -13) Replace good code with crap to satisfy 'ash'. - -14) Fix if_match to only do wild-card matches on patterns ending in - "+". - -15) Tighten edits on bridge port names. - -16) Make 'routeback' on interfaces work again. - -17) Reduce useless intra-zone rules on bridges. - -18) Make 'routeback' on hosts work again. - -19) Fix display of ICMP packets. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index ebaea2e66..6e8916777 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -5130,7 +5130,6 @@ activate_rules() done for interface in $all_interfaces ; do - run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface) addnatjump POSTROUTING $(masq_chain $interface) -o $interface @@ -5196,83 +5195,42 @@ define_firewall() # $1 = Command (Start or Restart) echo "${1}ing Shorewall..." verify_os_version - verify_ip - load_kernel_modules - echo "Initializing..." - - initialize_netfilter - - echo "Configuring Proxy ARP" - - setup_proxy_arp - - echo "Setting up NAT..." - - setup_nat - - echo "Setting up NETMAP..." - - setup_netmap - - echo "Adding Common Rules" - - add_common_rules + echo "Initializing..."; initialize_netfilter + echo "Configuring Proxy ARP"; setup_proxy_arp + echo "Setting up NAT..."; setup_nat + echo "Setting up NETMAP..."; setup_netmap + echo "Adding Common Rules"; add_common_rules tunnels=$(find_file tunnels) - [ -f $tunnels ] && \ - echo "Processing $tunnels..." && setup_tunnels $tunnels + echo "Processing $tunnels..." && setup_tunnels $tunnels maclist_hosts=$(find_hosts_by_option maclist) + [ -n "$maclist_hosts" ] && setup_mac_lists - if [ -n "$maclist_hosts" ] ; then - setup_mac_lists - fi - - rules=$(find_file rules) - - echo "Pre-processing Actions..." - - process_actions1 - - echo "Processing $rules..." - - process_rules - - echo "Processing Actions..." - - process_actions2 - - policy=$(find_file policy) - - echo "Processing $policy..." - - apply_policy_rules + echo "Pre-processing Actions..."; process_actions1 + echo "Processing $rules..."; process_rules + echo "Processing Actions..."; process_actions2 + echo "Processing $policy..."; apply_policy_rules masq=$(find_file masq) - - [ -f $masq ] && setup_masq $masq + [ -f $masq ] && setup_masq $masq tos=$(find_file tos) - [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos ecn=$(find_file ecn) - [ -f $ecn ] && [ -n "$MANGLE_ENABLED" ] && setup_ecn $ecn - [ -n "$TC_ENABLED" ] && setup_tc + [ -n "$TC_ENABLED" ] && setup_tc - echo "Activating Rules..." - - activate_rules + echo "Activating Rules..."; activate_rules [ -n "$aliases_to_add" ] && \ - echo "Adding IP Addresses..." && \ - add_ip_aliases + echo "Adding IP Addresses..." && add_ip_aliases run_user_exit start diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index cc2f9bee0..eed245316 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,100 +1,15 @@ -Shorewall 2.0.1 +Shorewall 2.0.2-Beta 1 ---------------------------------------------------------------------- -Problems Corrected since 2.0.0 +Problems Corrected since 2.0.1 -1) Using actions in the manner recommended in the documentation - results in a Warning that the rule is a policy. - -2) When a zone on a single interface is defined using - /etc/shorewall/hosts, superfluous rules are generated in the - _frwd chain. - -3) Thanks to Sean Mathews, a long-standing problem with Proxy ARP and - IPSEC has been corrected. Thanks Sean!!! - -4) The "shorewall show log" and "shorewall logwatch" commands - incorrectly displayed type 3 ICMP packets. +None. ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1: -1) The function of 'norfc1918' is now split between that option and a - new 'nobogons' option. - - The rfc1918 file released with Shorewall now contains entries for - only those three address ranges reserved by RFC 1918. A 'nobogons' - interface option has been added which handles bogon source - addresses (those which are reserved by the IANA, those reserved for - DHCP auto-configuration and the class C test-net reserved for - testing and documentation examples). This will allow users to - perform RFC 1918 filtering without having to deal with out - of date data from IANA. Those who are willing to update their - /usr/share/shorewall/bogons file regularly can specify the - 'nobogons' option in addition to 'norfc1918'. - - The level at which bogon packets are logged is specified in the new - BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not - specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then - bogon packets whose TARGET is 'logdrop' in - /usr/share/shorewall/bogons are logged at the 'info' level. +None. New Features: -1) Support for Bridging Firewalls has been added. For details, see - - http://shorewall.net/bridge.html - -2) Support for NETMAP has been added. NETMAP allows NAT to be defined - between two network: - - a.b.c.1 -> x.y.z.1 - a.b.c.2 -> x.y.z.2 - a.b.c.3 -> x.y.z.3 - ... - - http://shorewall.net/netmap.html - -3) The /sbin/shorewall program now accepts a "-x" option to cause - iptables to print out the actual packet and byte counts rather than - abbreviated counts such as "13MB". - - Commands affected by this are: - - shorewall -x show [ [ ...] ] - shorewall -x show tos|mangle - shorewall -x show nat - shorewall -x status - shorewall -x monitor [ ] - -4) Shorewall now traps two common zone definition errors: - - - Including the firewall zone in a /etc/shorewall/hosts record. - - Defining an interface for a zone in both /etc/shorewall/interfaces - and /etc/shorewall/hosts. - - In the second case, the following will appear during "shorewall - [re]start" or "shorewall check": - - Determining Hosts in Zones... - ... - Error: Invalid zone definition for zone - Terminated - -5) To support bridging, the following options have been added to - entries in /etc/shorewall/hosts: - - norfc1918 - nobogons - blacklist - tcpflags - nosmurfs - newnotsyn - - With the exception of 'newnotsyn', these options are only - useful when the entry refers to a bridge port. - - Example: - - #ZONE HOST(S) OPTIONS - net br0:eth0 norfc1918,nobogons,blacklist,tcpflags,nosmurfs +None.