forked from extern/shorewall_code
Merge branch '4.4.19' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.19
This commit is contained in:
Tom Eastep
commit
631a2a7092
@ -23,7 +23,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%define name shorewall-init
|
||||
%define version 4.4.19
|
||||
%define release 2
|
||||
%define release 3
|
||||
|
||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||
Name: %{name}
|
||||
@ -119,6 +119,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat May 07 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-3
|
||||
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-2
|
||||
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.4.19
|
||||
%define release 2
|
||||
%define release 3
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -103,6 +103,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat May 07 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-3
|
||||
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-2
|
||||
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -2870,7 +2870,7 @@ sub conditional_rule_end( $ ) {
|
||||
add_commands( $chainref , "fi\n" );
|
||||
}
|
||||
|
||||
sub mysplit( $$ );
|
||||
sub mysplit( $;$ );
|
||||
|
||||
#
|
||||
# Match a Source.
|
||||
@ -3229,7 +3229,7 @@ sub addnatjump( $$$ ) {
|
||||
# Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
|
||||
# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
|
||||
#
|
||||
sub mysplit( $$ ) {
|
||||
sub mysplit( $;$ ) {
|
||||
my ( $input, $loose ) = @_;
|
||||
|
||||
my @input = split_list $input, 'host';
|
||||
@ -3638,7 +3638,7 @@ sub handle_network_list( $$ ) {
|
||||
my $nets = '';
|
||||
my $excl = '';
|
||||
|
||||
my @nets = mysplit $list, 0;
|
||||
my @nets = mysplit $list;
|
||||
|
||||
for ( @nets ) {
|
||||
if ( /!/ ) {
|
||||
@ -3954,7 +3954,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
}
|
||||
|
||||
unless ( $onets ) {
|
||||
my @oexcl = mysplit $oexcl, 0;
|
||||
my @oexcl = mysplit $oexcl;
|
||||
if ( @oexcl == 1 ) {
|
||||
$rule .= match_orig_dest( "!$oexcl" );
|
||||
$oexcl = '';
|
||||
@ -4029,19 +4029,19 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
|
||||
|
||||
for ( mysplit $iexcl, 0 ) {
|
||||
for ( mysplit $iexcl ) {
|
||||
my $cond = conditional_rule( $chainref, $_ );
|
||||
add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
|
||||
conditional_rule_end( $chainref ) if $cond;
|
||||
}
|
||||
|
||||
for ( mysplit $dexcl, 0 ) {
|
||||
for ( mysplit $dexcl ) {
|
||||
my $cond = conditional_rule( $chainref, $_ );
|
||||
add_rule $chainref, ( match_dest_net $_ ) . $exclude;
|
||||
conditional_rule_end( $chainref ) if $cond;
|
||||
}
|
||||
|
||||
for ( mysplit $oexcl, 0 ) {
|
||||
for ( mysplit $oexcl ) {
|
||||
my $cond = conditional_rule( $chainref, $_ );
|
||||
add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
|
||||
conditional_rule_end( $chainref ) if $cond;
|
||||
@ -4060,19 +4060,19 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Use the current rule and send all possible matches to the exclusion chain
|
||||
#
|
||||
for my $onet ( mysplit $onets , 0 ) {
|
||||
for my $onet ( mysplit $onets ) {
|
||||
|
||||
my $cond = conditional_rule( $chainref, $onet );
|
||||
|
||||
$onet = match_orig_dest $onet;
|
||||
|
||||
for my $inet ( mysplit $inets , 0 ) {
|
||||
for my $inet ( mysplit $inets ) {
|
||||
|
||||
my $cond = conditional_rule( $chainref, $inet );
|
||||
|
||||
my $source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' );
|
||||
|
||||
for my $dnet ( mysplit $dnets , 0 ) {
|
||||
for my $dnet ( mysplit $dnets ) {
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' );
|
||||
add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
|
||||
}
|
||||
@ -4085,19 +4085,19 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Generate RETURNs for each exclusion
|
||||
#
|
||||
for ( mysplit $iexcl , 0 ) {
|
||||
for ( mysplit $iexcl ) {
|
||||
my $cond = conditional_rule( $echainref, $_ );
|
||||
add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
|
||||
conditional_rule_end( $echainref ) if $cond;
|
||||
}
|
||||
|
||||
for ( mysplit $dexcl , 0 ) {
|
||||
for ( mysplit $dexcl ) {
|
||||
my $cond = conditional_rule( $echainref, $_ );
|
||||
add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN';
|
||||
conditional_rule_end( $echainref ) if $cond;
|
||||
}
|
||||
|
||||
for ( mysplit $oexcl , 0 ) {
|
||||
for ( mysplit $oexcl ) {
|
||||
my $cond = conditional_rule( $echainref, $_ );
|
||||
add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
|
||||
conditional_rule_end( $echainref ) if $cond;
|
||||
@ -4127,19 +4127,19 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# No non-trivial exclusions or we're using marks to handle them
|
||||
#
|
||||
for my $onet ( mysplit $onets , 0 ) {
|
||||
for my $onet ( mysplit $onets ) {
|
||||
my $cond = conditional_rule( $chainref, $onet );
|
||||
|
||||
$onet = match_orig_dest $onet;
|
||||
|
||||
for my $inet ( mysplit $inets , 0 ) {
|
||||
for my $inet ( mysplit $inets ) {
|
||||
my $source_match;
|
||||
|
||||
my $cond = conditional_rule( $chainref, $inet );
|
||||
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' );
|
||||
|
||||
for my $dnet ( mysplit $dnets , 0 ) {
|
||||
for my $dnet ( mysplit $dnets ) {
|
||||
$source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' );
|
||||
my $dest_match = match_dest_net( $dnet );
|
||||
my $matches = join( '', $rule, $source_match, $dest_match, $onet );
|
||||
|
||||
@ -412,7 +412,7 @@ sub initialize( $ ) {
|
||||
EXPORT => 0,
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.19.2",
|
||||
VERSION => "4.4.19.3",
|
||||
CAPVERSION => 40417 ,
|
||||
);
|
||||
#
|
||||
|
||||
@ -466,6 +466,7 @@ sub add_a_provider( ) {
|
||||
|
||||
if ( $gateway ) {
|
||||
$address = get_interface_address $interface unless $address;
|
||||
emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
|
||||
emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
|
||||
emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
|
||||
}
|
||||
|
||||
@ -509,10 +509,10 @@ undo_routing() {
|
||||
#
|
||||
save_default_route() {
|
||||
awk \
|
||||
'BEGIN {default=0;}; \
|
||||
/^default / {default=1; print; next}; \
|
||||
/nexthop/ {if (default == 1 ) {print ; next} }; \
|
||||
{ default=0; };'
|
||||
'BEGIN {defroute=0;};
|
||||
/^default / {deroute=1; print; next};
|
||||
/nexthop/ {if (defroute == 1 ) {print ; next} };
|
||||
{ defroute=0; };'
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@ -497,10 +497,10 @@ undo_routing() {
|
||||
#
|
||||
save_default_route() {
|
||||
awk \
|
||||
'BEGIN {default=0;}; \
|
||||
/^default / {default=1; print; next}; \
|
||||
/nexthop/ {if (default == 1 ) {print ; next} }; \
|
||||
{ default=0; };'
|
||||
'BEGIN {defroute=0;};
|
||||
/^default / {defroute=1; print; next};
|
||||
/nexthop/ {if (defroute == 1 ) {print ; next} };
|
||||
{ defroute=0; };'
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@ -1,3 +1,7 @@
|
||||
Changes in Shorewall 4.4.19.3
|
||||
|
||||
1) Eliminate issue with 'gawk'.
|
||||
|
||||
Changes in Shorewall 4.4.19.2
|
||||
|
||||
1) Restore the ability to have IPSET names in the ORIGINAL DEST column
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
----------------------------------------------------------------------------
|
||||
S H O R E W A L L 4 . 4 . 1 9 . 2
|
||||
S H O R E W A L L 4 . 4 . 1 9 . 3
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
I. PROBLEMS CORRECTED IN THIS RELEASE
|
||||
@ -13,6 +13,15 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
4.4.19.3
|
||||
|
||||
1) The changes in 4.4.19.1 that corrected long-standing issues with
|
||||
default route save/restore were incompatible with 'gawk'. When
|
||||
'gawk' was installed (rather than 'mawk'), awk syntax errors having
|
||||
to do with the symbol 'default' were issued.
|
||||
|
||||
This incompatibility has been corrected.
|
||||
|
||||
4.4.19.2
|
||||
|
||||
1) In Shorewall-shell, there was the ability to specify IPSET names in
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 4.4.19
|
||||
%define release 2
|
||||
%define release 3
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -109,6 +109,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||
|
||||
%changelog
|
||||
* Sat May 07 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-3
|
||||
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-2
|
||||
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%define name shorewall6-lite
|
||||
%define version 4.4.19
|
||||
%define release 2
|
||||
%define release 3
|
||||
|
||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -94,6 +94,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat May 07 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-3
|
||||
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-2
|
||||
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%define name shorewall6
|
||||
%define version 4.4.19
|
||||
%define release 2
|
||||
%define release 3
|
||||
|
||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -98,6 +98,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||
|
||||
%changelog
|
||||
* Sat May 07 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-3
|
||||
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.19-2
|
||||
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
|
||||
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.19.2
|
||||
VERSION=4.4.19.3
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@ -652,9 +652,10 @@
|
||||
|
||||
<entry>firewall stop</entry>
|
||||
|
||||
<entry>Only traffic to/from hosts listed in /etc/shorewall/hosts
|
||||
is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes
|
||||
in /etc/shorewall/shorewall.conf then in addition, all existing
|
||||
<entry>Only traffic to/from hosts listed in
|
||||
/etc/shorewall/routestopped is passed to/from/through the
|
||||
firewall. If ADMINISABSENTMINDED=Yes in
|
||||
/etc/shorewall/shorewall.conf then in addition, all existing
|
||||
connections are retained and all connection requests from the
|
||||
firewall are accepted.</entry>
|
||||
</row>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user