Fix nat table logging bugs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1451 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE2/changelog.txt

@@ -1,46 +1,3 @@
-Changes since 2.0.2
+Changes since 2.0.3c
 
-1) Remove restore files; don't generate them for non-statechanging
-   commands.
-
-2) Restore file now loads kernel modules.
-
-3) Minor tweaks to the restore mechanism.
-
-4) Allow "!" in accounting rules.
-
-5) Backport bug fixes from stable (/var/lib/shorewall existence and
-   null common action).
-
-6) Add lots of overhead to [re]start in order to catch typing errors.
-
-7) Correct reporting of installation directory in install.sh.
-
-8) Load kernel modules before detecting capabilities.
-
-9) Added the 'rejectNonSyn' standard built-in action.
-
-10) Merged Tuomo Soini's patch to the install script.
-
-11) Correct brain-cramp in module loading fix (8 above).
-
-12) Add 'key' to sample tunnel file.
-
-13) Allow multiple saved configurations.
-
-14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
-
-15) Fix rules that have bridge ports in both SOURCE and DEST. Update
-    comments in the rules file WRT "all" in SOURCE or DEST.
-
-16) Pass INVALID icmp packets through the blacklisting chains.
-
-17) Fix bogus code in process_tc_rule()
-
-18) Fix security vulnerability involving temporary files/directories.
-
-19) Hack security fix so that it works under Slackware.
-
-20) Fix mktempfile() where there is no mktemp utility.
-
-21) Hack security fix to correct "shorewall stop" problems.
+1) Fix DNAT logging with 'fw' as the source zone.

STABLE2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.0.3c
+VERSION=2.0.4
 
 usage() # $1 = exit status
 {

STABLE2/firewall

@@ -3068,7 +3068,7 @@ add_nat_rule() {
 	    else
 		for adr in $(separate_list $addr); do
 		    if [ -n "$loglevel" ]; then
-			log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
+			log_rule_limit $loglevel OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
 			    $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
 		    fi
 
@@ -3099,7 +3099,7 @@ add_nat_rule() {
 		done
 
 		if [ -n "$loglevel" ]; then
-		    log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
+		    log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat
 		fi
 
 		addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection

STABLE2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.0.3c
+VERSION=2.0.4
 
 usage() # $1 = exit status
 {

STABLE2/releasenotes.txt

@@ -1,172 +1,10 @@
-Shorewall 2.0.3b
+Shorewall 2.0.4
 
 ----------------------------------------------------------------------
-Problems Corrected since 2.0.2
-
-1) The 'firewall' script is not purging temporary restore files in
-   /var/lib/shorewall. These files have names of the form
-   "restore-nnnnn".
-
-2) The /var/lib/shorewall/restore script did not load the kernel
-   modules specified in /etc/shorewall/modules.
-
-3) Specifying a null common action in /etc/shorewall/actions (e.g.,
-   :REJECT) results in a startup error.
-
-4) If /var/lib/shorewall does not exist, shorewall start fails.
-
-5) DNAT rules with a dynamic source zone don't work properly. When
-   used, these rules cause the rule to be checked against ALL input,
-   not just input from the designated zone.
-
-6) The install.sh script reported installing some files in
-   /etc/shorewall when the files were actually installed in
-   /usr/share/shorewall.
-
-7) Shorewall checks netfilter capabilities before loading kernel
-   modules. Hence if kernel module autoloading isn't enabled, the
-   capabilities will be misdetected.
-
-8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
-
-9) The file /etc/init.d/shorewall now gets proper ownership when the
-   RPM is built by a non-root user.
-
-10) Rules that specify bridge ports in both the SOURCE and DEST
-    columns no longer cause "shorewall start" to fail.
-
-11) Comments in the rules file have been added to advise users that
-    "all" in the SOURCE or DEST column does not affect intra-zone
-    traffic.
-
-12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
-    passed through the blacklisting chains. Without this change, it is
-    not possible to blacklist hosts that are mounting certain types of
-    ICMP-based DOS attacks.
-
-Problems Corrected since 2.0.3
-
-1)  A non-empty DEST entry in /etc/shorewall/tcrules will generate an
-    error and Shorewall fails to start.
-
-2)  A potential security vulnerablilty in the way that Shorewall
-    handles temporary files and directories has been corrected.
-
-3) The security vulnerability fix failed under Slackware 9.1. 
-
-4) The security vulnerability fix failed if mktemp was not installed.
-
-5) The security vulnerability fix causes error messages during
-   "shorewall stop"
-
------------------------------------------------------------------------
-Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
-
-1) The 'dropNonSyn' standard builtin action has been replaced with the
-   'dropNotSyn' standard builtin action. The old name can still be used
-   but will generate a warning.
-
------------------------------------------------------------------------
-New Features:
-
-1) Shorewall now supports multiple saved configurations.
-
-   a) The default saved configuration (restore script) in
-      /var/lib/shorewall is now specified using the RESTOREFILE option
-      in shorewall.conf. If this variable isn't set then to maitain
-      backward compatibility, 'restore' is assumed.
-      
-      The value of RESTOREFILE must be a simple file name; no slashes
-      ("/") may be included.
-      
-   b)  The "save" command has been extended to be able to specify the
-      name of a saved configuration.
-
-	   shorewall save [ <file name> ]
-
-      The current state is saved to /var/lib/shorewall/<file name>. If
-      no <file name> is given, the configuration is saved to
-      the file determined by the RESTOREFILE setting.
-
-   c) The "restore" command has been extended to be able to specify 
-      the name of a saved configuration:
-
-	  shorewall restore [ <file name> ]
-
-      The firewall state is restored from /var/lib/shorewall/<file
-      name>. If no <file name> is given, the firewall state is
-      restored from the file determined by the RESTOREFILE setting.
-
-   c) The "forget" command has changed. Previously, the command
-      unconditionally removed the /var/lib/shorewall/save file which
-      records the current dynamic blacklist. The "forget" command now
-      leaves that file alone.
-
-      Also, the "forget" command has been extended to be able to
-      specify the name of a saved configuration:
-
-	      shorewall forget [ <file name> ]
-
-      The file /var/lib/shorewall/<file name> is removed. If no <file
-      name> is given, the file determined by the RESTOREFILE setting
-      is removed.
-
-   d) The "shorewall -f start" command restores the state from the
-      file determined by the RESTOREFILE setting. 
-
-2) "!" is now allowed in accounting rules.
-
-3) Interface names appearing within the configuration are now
-   verified. Interface names must match the name of an entry in
-   /etc/shorewall/interfaces (or if bridging is enabled, they must
-   match the name of an entry in /etc/shorewall/interfaces or the name
-   of a bridge port appearing in /etc/shorewall/hosts).
-
-4) A new 'rejNotSyn' built-in standard action has been added. This
-   action responds to "New not SYN" packets with an RST.
-
-   The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
-   action. The old name will be accepted until the next major release
-   of Shorewall but will generate a warning.
-
-   Several new logging actions involving "New not SYN" packets have
-   been added:
-
-	logNewNotSyn  -- logs the packet with disposition = LOG
-	dLogNewNotSyn -- logs the packet with disposition = DROP
-	rLogNewNotSyn -- logs the packet with disposition = REJECT
-
-   The packets are logged at the log level specified in the
-   LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
-   not specified, then 'info' is assumed.
-
-   Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
-
-   A: To simulate the behavior of NEWNOTSYN=No:
-
-      a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
-      b) Create /etc/shorewall/action.NoNewNotSyn containing:
-
-	    dLogNotSyn
-	    dropNotSyn
-
-      c) Early in your rules file, place:
-
-	 NoNewNotSyn   all   all     tcp
-
-   B: Drop 'New not SYN' packets from the net only. Don't log them.
-
-      a) Early in your rules file, place:
-
-         dropNotSyn    net	  all	tcp
-
-5) Slackware users no longer have to modify the install.sh script
-   before installation. Tuomo Soini has provided a change that allows
-   the INIT and FIREWALL variables to be specified outside the script
-   as in:
-
-      DEST=/etc/rc.d INIT=rc.firewall ./install.sh
+Problems Corrected since 2.0.3c
 
+1)  A DNAT rule with 'fw' as the source that specified logging caused
+    "shorewall start" to fail.
 
  
 

STABLE2/shorewall.spec

@@ -141,6 +141,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Tue Jul 06 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.0.4-1
 * Fri Jul 02 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.3c-1
 * Wed Jun 30 2004 Tom Eastep tom@shorewall.net

STABLE2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.0.3c
+VERSION=2.0.4
 
 usage() # $1 = exit status
 {