diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index 647a499ae..ba67fb7de 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.2.6 +%define version 4.2.7 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -114,6 +114,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcclasses %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcdevices %attr(0600,root,root) %config(noreplace) /etc/shorewall/tcfilters +%attr(0600,root,root) %config(noreplace) /etc/shorewall/notrack %attr(0600,root,root) /etc/shorewall/Makefile %attr(0755,root,root) /sbin/shorewall @@ -169,6 +170,7 @@ fi %attr(0644,root,root) /usr/share/shorewall/configfiles/tcclasses %attr(0644,root,root) /usr/share/shorewall/configfiles/tcdevices %attr(0644,root,root) /usr/share/shorewall/configfiles/tcfilters +%attr(0644,root,root) /usr/share/shorewall/configfiles/notrack %attr(0644,root,root) /usr/share/shorewall/configfiles/Makefile %attr(0644,root,root) %{_mandir}/man5/* @@ -177,6 +179,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples swping swping.init isusable %changelog +* Sat Feb 21 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.7-0base * Thu Feb 05 2009 Tom Eastep tom@shorewall.net - Add 'restored' script * Wed Feb 04 2009 Tom Eastep tom@shorewall.net diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index ac76de363..f25af4b24 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -53,10 +53,6 @@ our $reused = 0; our $family = F_IPV4; -our $rtc; - -use constant { NORTC => 1, RTCONLY => 2 }; - # # Reinitilize the package-globals in the other modules # @@ -574,74 +570,6 @@ EOF } -# -# Compile stop_rtc() -# -sub compile_stop_rtc() { - - emit <<'EOF'; -# -# Stop/restore RTC after an error or because of a 'stop' or 'clear' command -# -stop_rtc() { - - case $COMMAND in - stop|clear|restore) - ;; - *) - set +x - - case $COMMAND in - start) - logger -p kern.err "ERROR:$PRODUCT start failed" - ;; - restart) - logger -p kern.err "ERROR:$PRODUCT restart failed" - ;; - restore) - logger -p kern.err "ERROR:$PRODUCT restore failed" - ;; - esac - ;; - esac - - STOPPING="Yes" - - TERMINATOR= - - run_stop_exit -EOF - push_indent; - - emit 'delete_tc1'; - - emit( 'undo_routing', - 'restore_default_route' - ); - - emit 'run_stopped_exit'; - - pop_indent; - - emit ' - logger -p kern.info "$PRODUCT Stopped" - - case $COMMAND in - stop|clear) - ;; - *) - # - # RTC is being stopped when we were trying to do something - # else. Kill the shell in case we\'re running in a subshell - # - kill $$ - ;; - esac -} -'; - -} - # # Final stage of script generation. # @@ -656,24 +584,18 @@ EOF # sub generate_script_2($) { - unless ( $rtc == RTCONLY ) { - if ( $family == F_IPV4 ) { - progress_message2 "Creating iptables-restore input..."; - } else { - progress_message2 "Creating ip6tables-restore input..."; - } - - create_netfilter_load( $test ); - create_chainlist_reload( $_[0] ); + if ( $family == F_IPV4 ) { + progress_message2 "Creating iptables-restore input..."; + } else { + progress_message2 "Creating ip6tables-restore input..."; } + create_netfilter_load( $test ); + create_chainlist_reload( $_[0] ); + emit "#\n# Start/Restart the Firewall\n#"; - if ( $rtc == RTCONLY ) { - emit 'define_rtc() {'; - } else { - emit 'define_firewall() {'; - } + emit 'define_firewall() {'; push_indent; @@ -698,134 +620,129 @@ sub generate_script_2($) { emit 'load_kernel_modules Yes'; } - unless ( $rtc == RTCONLY ) { - if ( $family == F_IPV4 ) { - emit ( '#', - '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', - '#', - 'qt1 $IPTABLES -N foox1234', - 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', - 'result=$?', - 'qt1 $IPTABLES -F foox1234', - 'qt1 $IPTABLES -X foox1234', - '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', - '' ); - - for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { - emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", - 'if [ -n "$addr" ]; then', - ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', - ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', - ' if in_network $addr $network; then', - " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", - ' fi', - ' done', - "fi\n" ); - } + if ( $family == F_IPV4 ) { + emit ( '#', + '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', + '#', + 'qt1 $IPTABLES -N foox1234', + 'qt1 $IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', + 'result=$?', + 'qt1 $IPTABLES -F foox1234', + 'qt1 $IPTABLES -X foox1234', + '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', + '' ); - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', - '', - 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', - '', - 'delete_proxyarp', - '' - ); - - if ( $capabilities{NAT_ENABLED} ) { - emit( 'if [ -f ${VARDIR}/nat ]; then', - ' while read external interface; do', - ' del_ip_addr $external $interface', - ' done < ${VARDIR}/nat', - '', - ' rm -f ${VARDIR}/nat', - "fi\n" ); - } - - emit "disable_ipv6\n" if $config{DISABLE_IPV6}; - - } else { - emit ( '#', - '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', - '#', - 'qt1 $IP6TABLES -N foox1234', - 'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', - 'result=$?', - 'qt1 $IP6TABLES -F foox1234', - 'qt1 $IP6TABLES -X foox1234', - '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"', - '' ); - - emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', - '', - 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall', - '' - ); - + for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { + emit ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", + 'if [ -n "$addr" ]; then', + ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', + ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', + ' if in_network $addr $network; then', + " error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", + ' fi', + ' done', + "fi\n" ); } + + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', + '', + 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall', + '', + 'delete_proxyarp', + '' + ); + + if ( $capabilities{NAT_ENABLED} ) { + emit( 'if [ -f ${VARDIR}/nat ]; then', + ' while read external interface; do', + ' del_ip_addr $external $interface', + ' done < ${VARDIR}/nat', + '', + ' rm -f ${VARDIR}/nat', + "fi\n" ); + } + + emit "disable_ipv6\n" if $config{DISABLE_IPV6}; + + } else { + emit ( '#', + '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', + '#', + 'qt1 $IP6TABLES -N foox1234', + 'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', + 'result=$?', + 'qt1 $IP6TABLES -F foox1234', + 'qt1 $IP6TABLES -X foox1234', + '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"', + '' ); + + emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', + '', + 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall', + '' + ); + } - unless ( $rtc == NORTC ) { - emit qq(delete_tc1\n) if $config{CLEAR_TC}; - } + emit qq(delete_tc1\n) if $config{CLEAR_TC}; set_global_variables; emit ''; - emit( 'setup_common_rules', '' ) unless $rtc == RTCONLY; + emit( 'setup_common_rules', '' ); - emit( 'setup_routing_and_traffic_shaping', '' ) unless $rtc == NORTC; + emit( 'setup_routing_and_traffic_shaping', '' ); - unless ( $rtc == RTCONLY ) { - emit 'cat > ${VARDIR}/proxyarp << __EOF__'; - dump_proxy_arp; - emit_unindented '__EOF__'; - - emit( '', - 'if [ "$COMMAND" != refresh ]; then' ); - - push_indent; - - emit 'cat > ${VARDIR}/zones << __EOF__'; - dump_zone_contents; - emit_unindented '__EOF__'; + emit 'cat > ${VARDIR}/proxyarp << __EOF__'; + dump_proxy_arp; + emit_unindented '__EOF__'; - pop_indent; + emit( '', + 'if [ "$COMMAND" != refresh ]; then' ); - emit "fi\n"; + push_indent; - emit '> ${VARDIR}/nat'; + emit 'cat > ${VARDIR}/zones << __EOF__'; + dump_zone_contents; + emit_unindented '__EOF__'; - add_addresses; + pop_indent; + + emit "fi\n"; + + emit '> ${VARDIR}/nat'; + + add_addresses; - emit( '', - 'if [ $COMMAND = restore ]; then', - ' iptables_save_file=${VARDIR}/$(basename $0)-iptables', - ' if [ -f $iptables_save_file ]; then' ); + emit( '', + 'if [ $COMMAND = restore ]; then', + ' iptables_save_file=${VARDIR}/$(basename $0)-iptables', + ' if [ -f $iptables_save_file ]; then' ); + + if ( $family == F_IPV4 ) { + emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' + } else { + emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux' + } - if ( $family == F_IPV4 ) { - emit ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' - } else { - emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux' - } - - emit<<'EOF'; + emit<<'EOF'; else fatal_error "$iptables_save_file does not exist" fi EOF - pop_indent; - setup_forwarding( $family ); - push_indent; - emit<<'EOF'; + pop_indent; + setup_forwarding( $family ); + push_indent; + emit<<'EOF'; set_state "Started" run_restored_exit else if [ $COMMAND = refresh ]; then chainlist_reload EOF - setup_forwarding( $family ); - emit<<'EOF'; + setup_forwarding( $family ); + emit<<'EOF'; run_refreshed_exit do_iptables -N shorewall set_state "Started" @@ -834,8 +751,8 @@ EOF restore_dynamic_rules conditionally_flush_conntrack EOF - setup_forwarding( $family ); - emit<<'EOF'; + setup_forwarding( $family ); + emit<<'EOF'; run_start_exit do_iptables -N shorewall set_state "Started" @@ -844,12 +761,8 @@ EOF [ $0 = ${VARDIR}/.restore ] || cp -f $(my_pathname) ${VARDIR}/.restore fi -EOF - - } - - emit<<'EOF'; - date > ${VARDIR}/restarted + +date > ${VARDIR}/restarted case $COMMAND in start) @@ -892,7 +805,6 @@ sub compiler { $export = 0; $test = 0; - $rtc = 1; sub edit_boolean( $ ) { my $val = numeric_value( shift ); @@ -909,11 +821,6 @@ sub compiler { defined($val) && ($val == F_IPV4 || $val == F_IPV6); } - sub edit_rtc( $ ) { - my $val = numberic_value( shift ); - defined($val) && ($val == 0 || $val == NORTC || $val == RTCONLY); - } - my %parms = ( object => { store => \$objectfile }, directory => { store => \$directory }, family => { store => \$family , edit => \&edit_family } , @@ -925,7 +832,6 @@ sub compiler { log => { store => \$log }, log_verbosity => { store => \$log_verbosity, edit => \&edit_verbosity } , test => { store => \$test }, - rtc => { store => \$rtc , edit => \&edit_rtc } , ); # # P A R A M E T E R P R O C E S S I N G @@ -977,33 +883,36 @@ sub compiler { # run_user_exit1 'compile'; # - # Z O N E D E F I N I T I O N - # (Produces no output to the compiled script) + # Z O N E D E F I N I T I O N + # (Produces no output to the compiled script) # - unless ( $rtc == RTCONLY ) { - determine_zones; - # - # Process the interfaces file. - # - validate_interfaces_file ( $export ); - # - # Process the hosts file. - # - validate_hosts_file; - # - # Report zone contents - # - zone_report; - # - # Do action pre-processing. - # - process_actions1; - # - # P O L I C Y - # (Produces no output to the compiled script) - # - validate_policy; - } + determine_zones; + # + # Process the interfaces file. + # + validate_interfaces_file ( $export ); + # + # Process the hosts file. + # + validate_hosts_file; + # + # Report zone contents + # + zone_report; + # + # Do action pre-processing. + # + process_actions1; + # + # P O L I C Y + # (Produces no output to the compiled script) + # + validate_policy; + # + # N O T R A C K + # (Produces no output to the compiled script) + # + setup_notrack; # # I N I T I A L I Z E # (Writes the initialize() function to the compiled script) @@ -1019,166 +928,154 @@ sub compiler { # unless ( $command eq 'check' ) { enable_object; - - if ( $rtc == RTCONLY ) { - compile_stop_rtc; - } else { - compile_stop_firewall; - } - + compile_stop_firewall; disable_object; } # # C O M M O N _ R U L E S # (Writes the setup_common_rules() function to the compiled script) # - if ( $rtc != RTCONLY ) { - enable_object; + enable_object; - unless ( $command eq 'check' ) { - unless ( $test ) { - if ( $family == F_IPV4 ) { - copy $globals{SHAREDIRPL} . 'prog.functions'; - } else { - copy $globals{SHAREDIRPL} . 'prog.functions6'; - } + unless ( $command eq 'check' ) { + unless ( $test ) { + if ( $family == F_IPV4 ) { + copy $globals{SHAREDIRPL} . 'prog.functions'; + } else { + copy $globals{SHAREDIRPL} . 'prog.functions6'; } - - emit( "\n#", - '# Setup Common Rules (/proc)', - '#', - 'setup_common_rules() {' - ); - - push_indent; - } - # - # Do all of the zone-independent stuff - # - add_common_rules; - # - # /proc stuff - # - if ( $family == F_IPV4 ) { - setup_arp_filtering; - setup_route_filtering; - setup_martian_logging; } + + emit( "\n#", + '# Setup Common Rules (/proc)', + '#', + 'setup_common_rules() {' + ); - setup_source_routing($family); - # - # Proxy Arp/Ndp - # - setup_proxy_arp; - # - # Handle MSS setings in the zones file - # - setup_zone_mss; - - unless ( $command eq 'check' ) { - pop_indent; - emit '}'; - } - - disable_object; + push_indent; } # + # Do all of the zone-independent stuff + # + add_common_rules; + # + # /proc stuff + # + if ( $family == F_IPV4 ) { + setup_arp_filtering; + setup_route_filtering; + setup_martian_logging; + } + + setup_source_routing($family); + # + # Proxy Arp/Ndp + # + setup_proxy_arp; + # + # Handle MSS setings in the zones file + # + setup_zone_mss; + + unless ( $command eq 'check' ) { + pop_indent; + emit '}'; + } + + disable_object; + # # R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G # (Writes the setup_routing_and_traffic_shaping() function to the compiled script) # - unless ( $rtc == NORTC ) { - enable_object; + enable_object; - unless ( $command eq 'check' ) { - emit( "\n#", - '# Setup routing and traffic shaping', - '#', - 'setup_routing_and_traffic_shaping() {' - ); - - push_indent; - } - # - # [Re-]establish Routing - # - setup_providers; - # - # TCRules and Traffic Shaping - # - setup_tc; - - unless ( $command eq 'check' ) { - pop_indent; - emit "}\n"; - } - - disable_object; + unless ( $command eq 'check' ) { + emit( "\n#", + '# Setup routing and traffic shaping', + '#', + 'setup_routing_and_traffic_shaping() {' + ); + + push_indent; } # + # [Re-]establish Routing + # + setup_providers; + # + # TCRules and Traffic Shaping + # + setup_tc; + + unless ( $command eq 'check' ) { + pop_indent; + emit "}\n"; + } + + disable_object; + # # N E T F I L T E R # (Produces no output to the compiled script) # - unless ( $rtc == RTCONLY ) { - process_tos; - - if ( $family == F_IPV4 ) { - # - # ECN - # - setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; - # - # Setup Masquerading/SNAT - # - setup_masq; - } + process_tos; + if ( $family == F_IPV4 ) { # - # MACLIST Filtration + # ECN # - setup_mac_lists 1; + setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; # - # Process the rules file. + # Setup Masquerading/SNAT # - process_rules; - # - # Add Tunnel rules. - # - setup_tunnels; - # - # Post-rules action processing. - # - process_actions2; - process_actions3; - # - # MACLIST Filtration again - # - setup_mac_lists 2; - # - # Apply Policies - # - apply_policy_rules; - - if ( $family == F_IPV4 ) { - # - # Setup Nat - # - setup_nat; - # - # Setup NETMAP - # - setup_netmap; - } - # - # Accounting. - # - setup_accounting; - # - # We generate the matrix even though we don't write out the rules. That way, we insure that - # a compile of the script won't blow up during that step. - # - generate_matrix; + setup_masq; } + # + # MACLIST Filtration + # + setup_mac_lists 1; + # + # Process the rules file. + # + process_rules; + # + # Add Tunnel rules. + # + setup_tunnels; + # + # Post-rules action processing. + # + process_actions2; + process_actions3; + # + # MACLIST Filtration again + # + setup_mac_lists 2; + # + # Apply Policies + # + apply_policy_rules; + + if ( $family == F_IPV4 ) { + # + # Setup Nat + # + setup_nat; + # + # Setup NETMAP + # + setup_netmap; + } + # + # Accounting. + # + setup_accounting; + # + # We generate the matrix even though we don't write out the rules. That way, we insure that + # a compile of the script won't blow up during that step. + # + generate_matrix; + if ( $command eq 'check' ) { if ( $family == F_IPV4 ) { progress_message3 "Shorewall configuration verified"; diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl index fff4dead6..4da4b1708 100755 --- a/Shorewall-perl/compiler.pl +++ b/Shorewall-perl/compiler.pl @@ -36,9 +36,6 @@ # --log= # Log file # --log_verbosity= # Log Verbosity range -1 to 2 # --family= # IP family; 4 = IPv4 (default), 6 = IPv6 -# --rtc # 0 = Generate Routing and Traffic shaping + Normal Netfilter logic (default) -# # 1 = Do not Generate Routing and Traffic shaping -# # 2 = Generate only the Routing and Traffic shaping part # use strict; use FindBin; @@ -78,7 +75,6 @@ my $log_verbose = 0; my $help = 0; my $test = 0; my $family = 4; # F_IPV4 -my $rtc = 0; Getopt::Long::Configure ('bundling'); @@ -101,7 +97,6 @@ my $result = GetOptions('h' => \$help, 'test' => \$test, 'f=i' => \$family, 'family=i' => \$family, - 'rtc=i' => \$rtc, ); usage(1) unless $result && @ARGV < 2; @@ -117,5 +112,4 @@ compiler( object => defined $ARGV[0] ? $ARGV[0] : '', log => $log, log_verbosity => $log_verbose, test => $test, - family => $family , - rtc => $rtc ); + family => $family ); diff --git a/Shorewall-shell/diff-3.4-compiler b/Shorewall-shell/diff-3.4-compiler deleted file mode 100644 index a35e0ad04..000000000 --- a/Shorewall-shell/diff-3.4-compiler +++ /dev/null @@ -1,836 +0,0 @@ ---- ../../3.4/Shorewall/compiler 2007-10-26 19:10:45.000000000 -0400 -+++ compiler 2008-03-09 16:00:16.000000000 -0400 -@@ -1,6 +1,6 @@ - #!/bin/sh - # --# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V3.4 -+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall Compiler - V4.0 - # - # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] - # -@@ -35,6 +35,11 @@ - # SHOREWALL_DIR A directory name was passed to /sbin/shorewall - # VERBOSE Standard Shorewall verbosity control. - -+BASE_VERSION=40000 -+BASE_VERSION_PRINTABLE=4.0.0 -+CONFIG_VERSION=40000 -+CONFIG_VERSION_PRINTABLE=4.0.0 -+ - # - # Fatal error -- stops the compiler after issuing the error message - # -@@ -128,7 +133,8 @@ - # - append_file() # $1 = File Name - { -- local user_exit=$(find_file $1) -+ local user_exit -+ user_exit=$(find_file $1) - - case $user_exit in - $SHAREDIR/*) -@@ -210,7 +216,8 @@ - # - finish_chain_section() # $1 = canonical chain $2 = state list - { -- local policy policychain -+ local policy -+ local policychain - - [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state $2 -j ACCEPT - -@@ -241,7 +248,9 @@ - - finish_section() # $1 = Section(s) - { -- local zone zone1 chain -+ local zone -+ local zone1 -+ local chain - - for zone in $ZONES $FW; do - for zone1 in $ZONES $FW; do -@@ -263,7 +272,8 @@ - # - createchain() # $1 = chain name, $2 = If "yes", do section-end processing - { -- local c=$(chain_base $1) -+ local c -+ c=$(chain_base $1) - - run_iptables -N $1 - -@@ -286,7 +296,8 @@ - # - createchain2() # $1 = chain name, $2 = If "yes", create default rules - { -- local c=$(chain_base $1) -+ local c -+ c=$(chain_base $1) - - ensurechain $1 - -@@ -313,7 +324,8 @@ - # - havechain() # $1 = name of chain - { -- local c=$(chain_base $1) -+ local c -+ c=$(chain_base $1) - - eval test \"\$exists_${c}\" = Yes - } -@@ -675,11 +687,11 @@ - progress_message2 "Compiling IP Forwarding..." - - case "$IP_FORWARDING" in -- On|on) -+ On|on|ON|Yes|yes|YES) - save_progress_message "IP Forwarding Enabled" - save_command "echo 1 > /proc/sys/net/ipv4/ip_forward" - ;; -- Off|off) -+ Off|off|OFF|No|no|NO) - save_progress_message "IP Forwarding Disabled!" - save_command "echo 0 > /proc/sys/net/ipv4/ip_forward" - ;; -@@ -719,16 +731,25 @@ - # - log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule - { -- local level=$1 -- local chain=$2 -- local displayChain=$3 -- local disposition=$4 -- local rulenum= -- local limit= -- local tag=$6 -- local command=${7:--A} -+ local level -+ level=$1 -+ local chain -+ chain=$2 -+ local displayChain -+ displayChain=$3 -+ local disposition -+ disposition=$4 -+ local rulenum -+ rulenum= -+ local limit -+ limit= -+ local tag -+ tag=$6 -+ local command -+ command=${7:--A} - local prefix -- local base=$(chain_base $displayChain) -+ local base -+ base=$(chain_base $displayChain) - - limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash. - -@@ -739,9 +760,12 @@ - - log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule - { -- local level=$1 -- local chain=$2 -- local disposition=$3 -+ local level -+ level=$1 -+ local chain -+ chain=$2 -+ local disposition -+ disposition=$3 - - shift 3 - -@@ -756,9 +780,12 @@ - # $2 = synparams - # $3 = loglevel - { -- local chain=@$1 -- local limit=$2 -- local limit_burst= -+ local chain -+ chain=@$1 -+ local limit -+ limit=$2 -+ local limit_burst -+ limit_burst= - - case $limit in - *:*) -@@ -837,8 +864,10 @@ - # - setup_ecn() # $1 = file name - { -- local interfaces="" -- local hosts= -+ local interfaces -+ interfaces="" -+ local hosts -+ hosts= - local h - - if [ -s ${TMP_DIR}/ecn ]; then -@@ -886,7 +915,8 @@ - # - build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list - { -- local c=excl_${EXCLUSION_SEQ} net -+ local c -+ c=excl_${EXCLUSION_SEQ} net - - EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 )) - -@@ -916,7 +946,10 @@ - # Setup queuing and classes - # - setup_tc1() { -- local mark_part= comment= -+ local mark_part -+ mark_part= -+ local comment -+ comment= - # - # Create the TC mangle chains - # -@@ -1025,7 +1058,8 @@ - # - refresh_tc() { - -- local comment= -+ local comment -+ comment= - - if [ -n "$CLEAR_TC" ]; then - delete_tc -@@ -1089,9 +1123,12 @@ - # - compile_refresh_firewall() - { -- local INDENT="" -- local DOING="Compiling Refresh of" -- local DONE="Compiled" -+ local INDENT -+ INDENT="" -+ local DOING -+ DOING="Compiling Refresh of" -+ local DONE -+ DONE="Compiled" - local indent - - save_command "refresh_firewall()" -@@ -1142,7 +1179,8 @@ - process_action_file() # $1 = File Name - { - if ! list_search $1 $BUILTIN_ACTIONS; then -- local user_exit=$(find_file $1) -+ local user_exit -+ user_exit=$(find_file $1) - - if [ -f $user_exit ]; then - progress_message "Processing $user_exit ..." -@@ -1173,7 +1211,12 @@ - - createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ] - { -- local actchain= action=$1 level=$2 -+ local actchain -+ actchain= -+ local action -+ action=$1 -+ local level -+ level=$2 - - eval actchain=\${${action}_actchain} - -@@ -1259,7 +1302,14 @@ - # - find_logactionchain() # $1 = Action, including log level and tag if any - { -- local fullaction=$1 action=${1%%:*} level= chains= -+ local fullaction -+ fullaction=$1 -+ local action -+ action=${1%%:*} -+ local level -+ level= -+ local chains -+ chains= - - find_simpleaction() { - havechain $action || fatal_error "Fatal error in find_logactionchain" -@@ -1302,7 +1352,10 @@ - # - merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called - { -- local superior=$1 subordinate=$2 -+ local superior -+ superior=$1 -+ local subordinate -+ subordinate=$2 - - set -- $(split $1) - -@@ -1379,7 +1432,9 @@ - # - map_old_action() # $1 = Potential Old Action - { -- local macro= aktion -+ local macro -+ macro= -+ local aktion - - if [ -n "$MAPOLDACTIONS" ]; then - case $1 in -@@ -1432,7 +1487,8 @@ - # - substitute_action() # $1 = parameter, $2 = action - { -- local logpart=${2#*:} -+ local logpart -+ logpart=${2#*:} - - case $2 in - *:*) -@@ -1630,7 +1686,8 @@ - # policy = Applicable Policy - # - add_a_rule() { -- local natrule= -+ local natrule -+ natrule= - - do_ports() { - if [ -n "$port" ]; then -@@ -2118,19 +2175,32 @@ - # $9 = userspec - # $10= mark - { -- local target="$1" -- local clients="$2" -- local servers="$3" -- local protocol="$4" -- local ports="$5" -- local cports="$6" -- local address="$7" -- local ratelimit="$8" -- local userspec="$9" -- local mark="${10}" -- local userandgroup= -- local logtag= -- local nonat= -+ local target -+ target="$1" -+ local clients -+ clients="$2" -+ local servers -+ servers="$3" -+ local protocol -+ protocol="$4" -+ local ports -+ ports="$5" -+ local cports -+ cports="$6" -+ local address -+ address="$7" -+ local ratelimit -+ ratelimit="$8" -+ local userspec -+ userspec="$9" -+ local mark -+ mark="${10}" -+ local userandgroup -+ userandgroup= -+ local logtag -+ logtag= -+ local nonat -+ nonat= - - # # # # # F u n c t i o n B o d y # # # # # - -@@ -2483,21 +2553,35 @@ - # $9 = userspec - # $10= mark - { -- local itarget="$1" -- local param="$2" -- local iclients="$3" -- local iservers="$4" -- local iprotocol="$5" -- local iports="$6" -- local icports="$7" -- local iaddress="$8" -- local iratelimit="$9" -- local iuserspec="${10}" -- local imark="${11}" -+ local itarget -+ itarget="$1" -+ local param -+ param="$2" -+ local iclients -+ iclients="$3" -+ local iservers -+ iservers="$4" -+ local iprotocol -+ iprotocol="$5" -+ local iports -+ iports="$6" -+ local icports -+ icports="$7" -+ local iaddress -+ iaddress="$8" -+ local iratelimit -+ iratelimit="$9" -+ local iuserspec -+ iuserspec="${10}" -+ local imark -+ imark="${11}" - - progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." - - while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do -+ -+ [ $mtarget = COMMENT ] && continue -+ - mtarget=$(merge_levels $itarget $mtarget) - - case $mtarget in -@@ -2575,13 +2659,19 @@ - # - process_rules() - { -- local comment= optimize -+ local comment -+ comment= -+ local optimize - # - # Process a rule where the source or destination is "all" - # - process_wildcard_rule() # $1 = Yes, if this is a macro, $2 = Yes if we want intrazone traffic - { -- local yclients yservers ysourcezone ydestzone ypolicy -+ local yclients -+ local yservers -+ local ysourcezone -+ local ydestzone -+ local ypolicy - - for yclients in $xclients; do - for yservers in $xservers; do -@@ -2614,7 +2704,8 @@ - - do_it() # $1 = "Yes" if the target is a macro. - { -- local intrazone= -+ local intrazone -+ intrazone= - - if [ -z "$SECTIONS" ]; then - finish_section ESTABLISHED,RELATED -@@ -2794,17 +2885,35 @@ - # - process_default_macro() # $1 = macro name - { -- local macro=$1 -- local address= -- local multioption= -- local servport= -- local chain=$1 -- local logchain=$1 -- local userandgroup= -- local logtag= -- local excludesource= -- local target client server protocol port cport ratelimit userspec rule -- local f=$(find_file macro.${macro}) -+ local macro -+ macro=$1 -+ local address -+ address= -+ local multioption -+ multioption= -+ local servport -+ servport= -+ local chain -+ chain=$1 -+ local logchain -+ logchain=$1 -+ local userandgroup -+ userandgroup= -+ local logtag -+ logtag= -+ local excludesource -+ excludesource= -+ local target -+ local client -+ local server -+ local protocol -+ local port -+ local cport -+ local ratelimit -+ local userspec -+ local rule -+ local f -+ f=$(find_file macro.${macro}) - - havechain $macro && fatal_error "Illegal duplicate default macro name: $macro" - -@@ -3062,7 +3171,10 @@ - # - process_tos() # $1 = name of tos file - { -- local chain=pretos stdchain=PREROUTING -+ local chain -+ chain=pretos -+ local stdchain -+ stdchain=PREROUTING - - if [ -n "$MANGLE_FORWARD" ]; then - chain=fortos -@@ -3093,8 +3205,10 @@ - # $3 = loglevel - # $4 = Default Action/Macro - { -- local target="$2" -- local default="$4" -+ local target -+ target="$2" -+ local default -+ default="$4" - - if [ -n "$default" ]; then - [ "$default" = none ] || run_iptables -A $1 -j $default -@@ -3131,9 +3245,12 @@ - # - default_policy() # $1 = client $2 = server - { -- local chain="${1}2${2}" -- local policy= -- local loglevel= -+ local chain -+ chain="${1}2${2}" -+ local policy -+ policy= -+ local loglevel -+ loglevel= - local chain1 - - jump_to_policy_chain() { -@@ -3235,14 +3352,18 @@ - # - complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone - { -- local policy= -- local loglevel= -- local policychain= -- local default= -+ local policy -+ policy= -+ local loglevel -+ loglevel= -+ local policychain -+ policychain= -+ local default -+ default= - - run_user_exit $1 - -- run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT -+ [ -n "$FASTACCEPT" ] || run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT - - eval policychain=\$${2}2${3}_policychain - -@@ -3267,7 +3388,8 @@ - # - rules_chain() # $1 = source zone, $2 = destination zone - { -- local chain=${1}2${2} local policy -+ local chain -+ chain=${1}2${2} local policy - - havechain $chain && { echo $chain; return; } - -@@ -3376,8 +3498,10 @@ - - process_blacklist() - { -- local disposition=$BLACKLIST_DISPOSITION -- local f=$(find_file blacklist) -+ local disposition -+ disposition=$BLACKLIST_DISPOSITION -+ local f -+ f=$(find_file blacklist) - local target - - if [ -s $TMP_DIR/blacklist ]; then -@@ -3411,8 +3535,10 @@ - # Setup the Black List - # - setup_blacklist() { -- local hosts="$(find_hosts_by_option blacklist)" -- local ipsec policy -+ local hosts -+ hosts="$(find_hosts_by_option blacklist)" -+ local ipsec -+ local policy - - if [ -n "$hosts" -a -s ${TMP_DIR}/blacklist ]; then - progress_message2 "$DOING Blacklisting..." -@@ -3457,8 +3583,10 @@ - # Construct zone-independent rules - # - add_common_rules() { -- local savelogparms="$LOGPARMS" -- local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" -+ local savelogparms -+ savelogparms="$LOGPARMS" -+ local broadcasts -+ broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4" - # - # Populate the smurf chain - # -@@ -3788,7 +3916,7 @@ - - save_progress_message "Setting up Route Filtering..." - -- if [ -z "$ROUTE_FILTER" ]; then -+ if [ "$ROUTE_FILTER" = no ]; then - indent >&3 << __EOF__ - - for f in /proc/sys/net/ipv4/conf/*; do -@@ -3812,8 +3940,10 @@ - - save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" - -- if [ -n "$ROUTE_FILTER" ]; then -+ if [ "$ROUTE_FILTER" = yes ]; then - save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" -+ elif [ "$ROUTE_FILTER" = no ]; then -+ save_command "echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter" - fi - - save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache" -@@ -3829,7 +3959,7 @@ - - save_progress_message "Setting up Martian Logging..." - -- if [ -z "$LOG_MARTIANS" ]; then -+ if [ "$LOG_MARTIANS" = no ]; then - indent >&3 << __EOF__ - - for f in /proc/sys/net/ipv4/conf/*; do -@@ -3852,9 +3982,12 @@ - __EOF__ - done - -- if [ -n "$LOG_MARTIANS" ]; then -+ if [ "$LOG_MARTIANS" = yes ]; then - save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" - save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians" -+ elif [ "$LOG_MARTIANS" = no ]; then -+ save_command "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" -+ save_command "echo 0 > /proc/sys/net/ipv4/conf/default/log_martians" - fi - - fi -@@ -3984,14 +4117,19 @@ - # - activate_rules() - { -- local PREROUTING_rule=1 -- local POSTROUTING_rule=1 -+ local PREROUTING_rule -+ PREROUTING_rule=1 -+ local POSTROUTING_rule -+ POSTROUTING_rule=1 - # - # Jump to a NAT chain from one of the builtin nat chains - # - addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { -- local sourcechain=$1 destchain=$2 -+ local sourcechain -+ sourcechain=$1 -+ local destchain -+ destchain=$2 - shift - shift - -@@ -4009,7 +4147,10 @@ - # - addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments - { -- local sourcechain=$1 destchain=$2 -+ local sourcechain -+ sourcechain=$1 -+ local destchain -+ destchain=$2 - shift - shift - -@@ -4037,7 +4178,15 @@ - # - insert_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions - { -- local t=$1 c=$2 num=0 host1 interface1 networks1 -+ local t -+ t=$1 -+ local c -+ c=$2 -+ local num -+ num=0 -+ local host1 -+ local interface1 -+ local networks1 - - shift 2 - -@@ -4053,7 +4202,13 @@ - # - add_exclusions() # $1 = table $2 = chain name, $3 - $n = exclusions - { -- local t=$1 c=$2 host1 interface1 networks1 -+ local t -+ t=$1 -+ local c -+ c=$2 -+ local host1 -+ local interface1 -+ local networks1 - - shift 2 - -@@ -4101,7 +4256,8 @@ - eval exclusions=\"\$${zone}_exclusions\" - - if [ -n "$exclusions" ]; then -- local num=1 -+ local num -+ num=1 - in_chain=${zone}_input - out_chain=${zone}_output - createchain $in_chain No -@@ -4549,8 +4705,10 @@ - # from that script are available here - # - compile_stop_firewall() { -- local IPTABLES_COMMAND="\$IPTABLES" -- local INDENT=" " -+ local IPTABLES_COMMAND -+ IPTABLES_COMMAND="\$IPTABLES" -+ local INDENT -+ INDENT=" " - - cat >&3 << __EOF__ - -@@ -4894,10 +5052,18 @@ - # - compile_firewall() # $1 = File Name - { -- local IPTABLES_COMMAND=run_iptables -- local INDENT="" -- local checking= outfile=$1 dir= -- local match= -+ local IPTABLES_COMMAND -+ IPTABLES_COMMAND=run_iptables -+ local INDENT -+ INDENT="" -+ local checking -+ checking= -+ local outfile -+ outfile=$1 -+ local dir -+ dir= -+ local match -+ match= - - setup_mss() - { -@@ -4951,7 +5117,7 @@ - - cat >&3 << __EOF__ - # --# Compiled firewall script generated by Shorewall $VERSION - $(date)" -+# Compiled firewall script generated by Shorewall-shell $VERSION - $(date)" - # - __EOF__ - -@@ -4959,7 +5125,10 @@ - cat >&3 << __EOF__ - SHAREDIR=/usr/share/shorewall-lite - CONFDIR=/etc/shorewall-lite --VARDIR=/var/lib/shorewall-lite -+ -+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir -+ -+[ -n "\${VARDIR:=/var/lib/shorewall-lite}" ] - - __EOF__ - -@@ -4976,7 +5145,10 @@ - cat >&3 << __EOF__ - SHAREDIR=/usr/share/shorewall - CONFDIR=/etc/shorewall --VARDIR=/var/lib/shorewall -+ -+[ -f \${CONFDIR}/vardir ] && . \${CONFDIR}/vardir -+ -+[ -n "\${VARDIR:=/var/lib/shorewall}" ] - - . \${SHAREDIR}/lib.base - __EOF__ -@@ -5139,7 +5311,8 @@ - fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget "-e" when you compiled?)" - fi - -- local version=\$(cat \${SHAREDIR}/version) -+ local version -+ version=\$(cat \${SHAREDIR}/version) - - if [ \${SHOREWALL_LIBVERSION:-0} -lt 30203 ]; then - fatal_error "This script requires Shorewall version 3.3.3 or later; current version is \$version" -@@ -5178,6 +5351,7 @@ - LOCKFILE="$LOCKFILE" - PATH="$PATH" - TERMINATOR=fatal_error -+ DONT_LOAD="$DONT_LOAD" - - __EOF__ - if [ -n "$IPTABLES" ]; then -@@ -5278,7 +5452,8 @@ - # Start/Restart/Reload the firewall - # - define_firewall() { -- local restore_file=\$1 -+ local restore_file -+ restore_file=\$1 - __EOF__ - - INDENT=" " -@@ -5727,9 +5902,9 @@ - # E X E C U T I O N B E G I N S H E R E - # - # --# Start trace if first arg is "debug" -+# Start trace if first arg is "debug" or "trace" - # --[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } -+[ $# -gt 1 ] && [ "x$1" = xdebug -o "x$1" = xtrace ] && { set -x ; shift ; } - - NOLOCK= - -@@ -5754,6 +5929,11 @@ - fi - done - -+VERSION=$(cat $SHELLSHAREDIR/version) -+ -+[ "$SHOREWALL_LIBVERSION" -eq $BASE_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.base version $BASE_VERSION_PRINTABLE" -+[ "$SHOREWALL_CONFIGVERSION" -eq $CONFIG_VERSION ] || fatal_error "Shorewall-shell $VERSION requires Shorewall-common lib.config version $CONFIG_VERSION_PRINTABLE" -+ - PROGRAM=compiler - - COMMAND="$1" diff --git a/Shorewall-shell/diff-3.4-lib.tunnels b/Shorewall-shell/diff-3.4-lib.tunnels deleted file mode 100644 index 119144d1c..000000000 --- a/Shorewall-shell/diff-3.4-lib.tunnels +++ /dev/null @@ -1,94 +0,0 @@ ---- ../../3.4/Shorewall/lib.tunnels 2007-10-26 19:10:45.000000000 -0400 -+++ lib.tunnels 2008-03-09 15:55:46.000000000 -0400 -@@ -1,6 +1,6 @@ - #!/bin/sh - # --# Shorewall 3.4 -- /usr/share/shorewall/lib.tunnels -+# Shorewall 4.1 -- /usr/share/shorewall/lib.tunnels - # - # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] - # -@@ -37,19 +37,31 @@ - - setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones - { -- local kind=$1 noah= -+ local kind -+ kind=$1 -+ local noah -+ noah=noah - - case $kind in - *:*) - noah=${kind#*:} -- [ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" -+ case $noah in -+ ah|AH) -+ noah= -+ ;; -+ noah|NOAH) -+ ;; -+ *) -+ fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\"" -+ ;; -+ esac - kind=${kind%:*} - ;; - esac - - [ $kind = IPSEC ] && kind=ipsec - -- [ $kind = ipsec ] || noah=noah -+ [ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels" - - options="-m state --state NEW -j ACCEPT" - addrule2 $inchain -p 50 $source -j ACCEPT -@@ -125,8 +137,10 @@ - - setup_one_openvpn() # $1 = kind[:port] - { -- local protocol=udp -- local p=1194 -+ local protocol -+ protocol=udp -+ local p -+ p=1194 - - case $1 in - *:*:*) -@@ -150,8 +164,10 @@ - - setup_one_openvpn_server() # $1 = kind[:port] - { -- local protocol=udp -- local p=1194 -+ local protocol -+ protocol=udp -+ local p -+ p=1194 - - case $1 in - *:*:*) -@@ -175,8 +191,10 @@ - - setup_one_openvpn_client() # $1 = kind[:port] - { -- local protocol=udp -- local p=1194 -+ local protocol -+ protocol=udp -+ local p -+ p=1194 - - case $1 in - *:*:*) -@@ -201,7 +219,8 @@ - setup_one_generic() # $1 = kind:protocol[:port] - { - local protocol -- local p= -+ local p -+ p= - - case $1 in - *:*:*) diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 0baa4fbe3..78c4c6cc0 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.2.6 +VERSION=4.2.7 usage() # $1 = exit status { @@ -478,7 +478,7 @@ fi # # Install the Notrack file # -run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewal6/configfiles/notrack +run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall6/configfiles/notrack if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index 289f4fa35..46c39044c 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,5 +1,5 @@ %define name shorewall6 -%define version 4.2.6 +%define version 4.2.7 %define release 0base Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. @@ -91,6 +91,7 @@ fi %attr(0600,root,root) %config(noreplace) /etc/shorewall6/route_rules %attr(0600,root,root) %config(noreplace) /etc/shorewall6/tcclasses %attr(0600,root,root) %config(noreplace) /etc/shorewall6/tcdevices +%attr(0600,root,root) %config(noreplace) /etc/shorewall6/notrack %attr(0600,root,root) /etc/shorewall6/Makefile %attr(0755,root,root) /sbin/shorewall6 @@ -134,6 +135,7 @@ fi %attr(0644,root,root) /usr/share/shorewall6/configfiles/route_rules %attr(0644,root,root) /usr/share/shorewall6/configfiles/tcclasses %attr(0644,root,root) /usr/share/shorewall6/configfiles/tcdevices +%attr(0644,root,root) /usr/share/shorewall6/configfiles/notrack %attr(0644,root,root) /usr/share/shorewall6/configfiles/Makefile %attr(0644,root,root) %{_mandir}/man5/* @@ -142,6 +144,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat Feb 21 2009 Tom Eastep tom@shorewall.net +- Updated to 4.2.7-0base * Wed Feb 05 2009 Tom Eastep tom@shorewall.net - Added 'restored' script * Wed Feb 04 2009 Tom Eastep tom@shorewall.net diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml index 8a519a069..1570e6002 100644 --- a/manpages/shorewall-providers.xml +++ b/manpages/shorewall-providers.xml @@ -72,7 +72,7 @@ - MARK - + MARK (Optional) - value @@ -85,7 +85,10 @@ must be a multiple of 256 between 256 and 65280 or their hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte of the value being zero). Otherwise, the value must be between 1 and 255. Each - provider must be assigned a unique mark value. + provider must be assigned a unique mark value. This column may be + omitted if you don't use packet marking to direct connections to a + particular provider and you don't specify in + the OPTIONS column. diff --git a/manpages6/shorewall6-providers.xml b/manpages6/shorewall6-providers.xml index 1fdf3ed27..3ae3145bb 100644 --- a/manpages6/shorewall6-providers.xml +++ b/manpages6/shorewall6-providers.xml @@ -72,7 +72,7 @@ - MARK - + MARK (Optional) - value @@ -85,7 +85,10 @@ value must be a multiple of 256 between 256 and 65280 or their hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte of the value being zero). Otherwise, the value must be between 1 and - 255. Each provider must be assigned a unique mark value. + 255. Each provider must be assigned a unique mark value. This column + may be omitted if you don't use packet marking to direct connections + to a particular provider and you don't specify + in the OPTIONS column.