Fix nat table logging bugs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1451 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-07-06 14:13:52 +00:00 · 2004-07-06 14:13:52 +00:00 · 624e2f2ef3
commit 624e2f2ef3
parent 5d7f769774
7 changed files with 13 additions and 216 deletions
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@ -1,46 +1,3 @@
-Changes since 2.0.2
+Changes since 2.0.3c
-1) Remove restore files; don't generate them for non-statechanging
+1) Fix DNAT logging with 'fw' as the source zone.
   commands.
 2) Restore file now loads kernel modules.
 3) Minor tweaks to the restore mechanism.
 4) Allow "!" in accounting rules.
 5) Backport bug fixes from stable (/var/lib/shorewall existence and
   null common action).
 6) Add lots of overhead to [re]start in order to catch typing errors.
 7) Correct reporting of installation directory in install.sh.
 8) Load kernel modules before detecting capabilities.
 9) Added the 'rejectNonSyn' standard built-in action.
 10) Merged Tuomo Soini's patch to the install script.
 11) Correct brain-cramp in module loading fix (8 above).
 12) Add 'key' to sample tunnel file.
 13) Allow multiple saved configurations.
 14) Add %attr spec to /etc/init.d/shorewall in the .spec file.
 15) Fix rules that have bridge ports in both SOURCE and DEST. Update
    comments in the rules file WRT "all" in SOURCE or DEST.
 16) Pass INVALID icmp packets through the blacklisting chains.
 17) Fix bogus code in process_tc_rule()
 18) Fix security vulnerability involving temporary files/directories.
 19) Hack security fix so that it works under Slackware.
 20) Fix mktempfile() where there is no mktemp utility.
 21) Hack security fix to correct "shorewall stop" problems.
--- a/STABLE2/fallback.sh
+++ b/STABLE2/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=2.0.3c
+VERSION=2.0.4
 usage() # $1 = exit status
 {
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
@ -3068,7 +3068,7 @@ add_nat_rule() {
 	    else
 		for adr in $(separate_list $addr); do
 		    if [ -n "$loglevel" ]; then
-			log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
+			log_rule_limit $loglevel OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
 			    $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
 		    fi
@ -3099,7 +3099,7 @@ add_nat_rule() {
 		done
 		if [ -n "$loglevel" ]; then
-		    log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
+		    log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" -t nat
 		fi
 		addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
--- a/STABLE2/install.sh
+++ b/STABLE2/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=2.0.3c
+VERSION=2.0.4
 usage() # $1 = exit status
 {
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@ -1,172 +1,10 @@
-Shorewall 2.0.3b
+Shorewall 2.0.4
 ----------------------------------------------------------------------
-Problems Corrected since 2.0.2
+Problems Corrected since 2.0.3c
 1) The 'firewall' script is not purging temporary restore files in
   /var/lib/shorewall. These files have names of the form
   "restore-nnnnn".
 2) The /var/lib/shorewall/restore script did not load the kernel
   modules specified in /etc/shorewall/modules.
 3) Specifying a null common action in /etc/shorewall/actions (e.g.,
   :REJECT) results in a startup error.
 4) If /var/lib/shorewall does not exist, shorewall start fails.
 5) DNAT rules with a dynamic source zone don't work properly. When
   used, these rules cause the rule to be checked against ALL input,
   not just input from the designated zone.
 6) The install.sh script reported installing some files in
   /etc/shorewall when the files were actually installed in
   /usr/share/shorewall.
 7) Shorewall checks netfilter capabilities before loading kernel
   modules. Hence if kernel module autoloading isn't enabled, the
   capabilities will be misdetected.
 8) The 'newnotsyn' option in /etc/shorewall/hosts has no effect.
 9) The file /etc/init.d/shorewall now gets proper ownership when the
   RPM is built by a non-root user.
 10) Rules that specify bridge ports in both the SOURCE and DEST
    columns no longer cause "shorewall start" to fail.
 11) Comments in the rules file have been added to advise users that
    "all" in the SOURCE or DEST column does not affect intra-zone
    traffic.
 12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
    passed through the blacklisting chains. Without this change, it is
    not possible to blacklist hosts that are mounting certain types of
    ICMP-based DOS attacks.
 Problems Corrected since 2.0.3
 1)  A non-empty DEST entry in /etc/shorewall/tcrules will generate an
    error and Shorewall fails to start.
 2)  A potential security vulnerablilty in the way that Shorewall
    handles temporary files and directories has been corrected.
 3) The security vulnerability fix failed under Slackware 9.1. 
 4) The security vulnerability fix failed if mktemp was not installed.
 5) The security vulnerability fix causes error messages during
   "shorewall stop"
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3:
 1) The 'dropNonSyn' standard builtin action has been replaced with the
   'dropNotSyn' standard builtin action. The old name can still be used
   but will generate a warning.
 -----------------------------------------------------------------------
 New Features:
 1) Shorewall now supports multiple saved configurations.
   a) The default saved configuration (restore script) in
      /var/lib/shorewall is now specified using the RESTOREFILE option
      in shorewall.conf. If this variable isn't set then to maitain
      backward compatibility, 'restore' is assumed.
      The value of RESTOREFILE must be a simple file name; no slashes
      ("/") may be included.
   b)  The "save" command has been extended to be able to specify the
      name of a saved configuration.
 	   shorewall save [ <file name> ]
      The current state is saved to /var/lib/shorewall/<file name>. If
      no <file name> is given, the configuration is saved to
      the file determined by the RESTOREFILE setting.
   c) The "restore" command has been extended to be able to specify 
      the name of a saved configuration:
 	  shorewall restore [ <file name> ]
      The firewall state is restored from /var/lib/shorewall/<file
      name>. If no <file name> is given, the firewall state is
      restored from the file determined by the RESTOREFILE setting.
   c) The "forget" command has changed. Previously, the command
      unconditionally removed the /var/lib/shorewall/save file which
      records the current dynamic blacklist. The "forget" command now
      leaves that file alone.
      Also, the "forget" command has been extended to be able to
      specify the name of a saved configuration:
 	      shorewall forget [ <file name> ]
      The file /var/lib/shorewall/<file name> is removed. If no <file
      name> is given, the file determined by the RESTOREFILE setting
      is removed.
   d) The "shorewall -f start" command restores the state from the
      file determined by the RESTOREFILE setting. 
 2) "!" is now allowed in accounting rules.
 3) Interface names appearing within the configuration are now
   verified. Interface names must match the name of an entry in
   /etc/shorewall/interfaces (or if bridging is enabled, they must
   match the name of an entry in /etc/shorewall/interfaces or the name
   of a bridge port appearing in /etc/shorewall/hosts).
 4) A new 'rejNotSyn' built-in standard action has been added. This
   action responds to "New not SYN" packets with an RST.
   The 'dropNonSyn' action has been superceded by the new 'dropNotSyn'
   action. The old name will be accepted until the next major release
   of Shorewall but will generate a warning.
   Several new logging actions involving "New not SYN" packets have
   been added:
 	logNewNotSyn  -- logs the packet with disposition = LOG
 	dLogNewNotSyn -- logs the packet with disposition = DROP
 	rLogNewNotSyn -- logs the packet with disposition = REJECT
   The packets are logged at the log level specified in the
   LOGNEWNOTSYN option in shorewall.conf. If than option is empty or
   not specified, then 'info' is assumed.
   Examples (In all cases, set NEWNOTSYN=Yes in shorewall.conf):
   A: To simulate the behavior of NEWNOTSYN=No:
      a) Add 'NoNewNotSyn' to /etc/shorewall/actions.
      b) Create /etc/shorewall/action.NoNewNotSyn containing:
 	    dLogNotSyn
 	    dropNotSyn
      c) Early in your rules file, place:
 	 NoNewNotSyn   all   all     tcp
   B: Drop 'New not SYN' packets from the net only. Don't log them.
      a) Early in your rules file, place:
         dropNotSyn    net	  all	tcp
 5) Slackware users no longer have to modify the install.sh script
   before installation. Tuomo Soini has provided a change that allows
   the INIT and FIREWALL variables to be specified outside the script
   as in:
      DEST=/etc/rc.d INIT=rc.firewall ./install.sh
 1)  A DNAT rule with 'fw' as the source that specified logging caused
    "shorewall start" to fail.
--- a/STABLE2/shorewall.spec
+++ b/STABLE2/shorewall.spec
@ -141,6 +141,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 %changelog
 * Tue Jul 06 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.4-1
 * Fri Jul 02 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.3c-1
 * Wed Jun 30 2004 Tom Eastep tom@shorewall.net
--- a/STABLE2/uninstall.sh
+++ b/STABLE2/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.0.3c
+VERSION=2.0.4
 usage() # $1 = exit status
 {