From 873f8c38aa2752f76f140449b5c6614b3acbeaac Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 6 May 2011 14:28:22 -0700 Subject: [PATCH 1/5] Simplify the fix for double exclusion in ipset lists --- Shorewall/Perl/Shorewall/Chains.pm | 32 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 18688e62f..bcfc4c572 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2870,7 +2870,7 @@ sub conditional_rule_end( $ ) { add_commands( $chainref , "fi\n" ); } -sub mysplit( $$ ); +sub mysplit( $;$ ); # # Match a Source. @@ -3229,7 +3229,7 @@ sub addnatjump( $$$ ) { # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...] # -sub mysplit( $$ ) { +sub mysplit( $;$ ) { my ( $input, $loose ) = @_; my @input = split_list $input, 'host'; @@ -3638,7 +3638,7 @@ sub handle_network_list( $$ ) { my $nets = ''; my $excl = ''; - my @nets = mysplit $list, 0; + my @nets = mysplit $list; for ( @nets ) { if ( /!/ ) { @@ -3954,7 +3954,7 @@ sub expand_rule( $$$$$$$$$$;$ ) } unless ( $onets ) { - my @oexcl = mysplit $oexcl, 0; + my @oexcl = mysplit $oexcl; if ( @oexcl == 1 ) { $rule .= match_orig_dest( "!$oexcl" ); $oexcl = ''; @@ -4029,19 +4029,19 @@ sub expand_rule( $$$$$$$$$$;$ ) # my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} ); - for ( mysplit $iexcl, 0 ) { + for ( mysplit $iexcl ) { my $cond = conditional_rule( $chainref, $_ ); add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude; conditional_rule_end( $chainref ) if $cond; } - for ( mysplit $dexcl, 0 ) { + for ( mysplit $dexcl ) { my $cond = conditional_rule( $chainref, $_ ); add_rule $chainref, ( match_dest_net $_ ) . $exclude; conditional_rule_end( $chainref ) if $cond; } - for ( mysplit $oexcl, 0 ) { + for ( mysplit $oexcl ) { my $cond = conditional_rule( $chainref, $_ ); add_rule $chainref, ( match_orig_dest $_ ) . $exclude; conditional_rule_end( $chainref ) if $cond; @@ -4060,19 +4060,19 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Use the current rule and send all possible matches to the exclusion chain # - for my $onet ( mysplit $onets , 0 ) { + for my $onet ( mysplit $onets ) { my $cond = conditional_rule( $chainref, $onet ); $onet = match_orig_dest $onet; - for my $inet ( mysplit $inets , 0 ) { + for my $inet ( mysplit $inets ) { my $cond = conditional_rule( $chainref, $inet ); my $source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' ); - for my $dnet ( mysplit $dnets , 0 ) { + for my $dnet ( mysplit $dnets ) { $source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' ); add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 ); } @@ -4085,19 +4085,19 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Generate RETURNs for each exclusion # - for ( mysplit $iexcl , 0 ) { + for ( mysplit $iexcl ) { my $cond = conditional_rule( $echainref, $_ ); add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN'; conditional_rule_end( $echainref ) if $cond; } - for ( mysplit $dexcl , 0 ) { + for ( mysplit $dexcl ) { my $cond = conditional_rule( $echainref, $_ ); add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN'; conditional_rule_end( $echainref ) if $cond; } - for ( mysplit $oexcl , 0 ) { + for ( mysplit $oexcl ) { my $cond = conditional_rule( $echainref, $_ ); add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN'; conditional_rule_end( $echainref ) if $cond; @@ -4127,19 +4127,19 @@ sub expand_rule( $$$$$$$$$$;$ ) # # No non-trivial exclusions or we're using marks to handle them # - for my $onet ( mysplit $onets , 0 ) { + for my $onet ( mysplit $onets ) { my $cond = conditional_rule( $chainref, $onet ); $onet = match_orig_dest $onet; - for my $inet ( mysplit $inets , 0 ) { + for my $inet ( mysplit $inets ) { my $source_match; my $cond = conditional_rule( $chainref, $inet ); $source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' ); - for my $dnet ( mysplit $dnets , 0 ) { + for my $dnet ( mysplit $dnets ) { $source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' ); my $dest_match = match_dest_net( $dnet ); my $matches = join( '', $rule, $source_match, $dest_match, $onet ); From 6bb0881d7c1e495f4c7411dce1b87e4570954c72 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 May 2011 09:21:37 -0700 Subject: [PATCH 2/5] Fix issues with 'gawk' --- Shorewall/Perl/prog.header | 8 ++++---- Shorewall/Perl/prog.header6 | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/prog.header b/Shorewall/Perl/prog.header index 425b7c546..b4148426f 100644 --- a/Shorewall/Perl/prog.header +++ b/Shorewall/Perl/prog.header @@ -509,10 +509,10 @@ undo_routing() { # save_default_route() { awk \ - 'BEGIN {default=0;}; \ - /^default / {default=1; print; next}; \ - /nexthop/ {if (default == 1 ) {print ; next} }; \ - { default=0; };' + 'BEGIN {defroute=0;}; + /^default / {deroute=1; print; next}; + /nexthop/ {if (defroute == 1 ) {print ; next} }; + { defroute=0; };' } # diff --git a/Shorewall/Perl/prog.header6 b/Shorewall/Perl/prog.header6 index 8cf782756..c36e78b1b 100644 --- a/Shorewall/Perl/prog.header6 +++ b/Shorewall/Perl/prog.header6 @@ -497,10 +497,10 @@ undo_routing() { # save_default_route() { awk \ - 'BEGIN {default=0;}; \ - /^default / {default=1; print; next}; \ - /nexthop/ {if (default == 1 ) {print ; next} }; \ - { default=0; };' + 'BEGIN {defroute=0;}; + /^default / {defroute=1; print; next}; + /nexthop/ {if (defroute == 1 ) {print ; next} }; + { defroute=0; };' } # From fb442cebbea782b19d79fb5c68b11208f30ac2e5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 May 2011 09:29:43 -0700 Subject: [PATCH 3/5] Document fix for 'gawk' --- Shorewall-init/install.sh | 2 +- Shorewall-init/shorewall-init.spec | 4 +++- Shorewall-init/uninstall.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 4 +++- Shorewall-lite/uninstall.sh | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/changelog.txt | 4 ++++ Shorewall/install.sh | 2 +- Shorewall/releasenotes.txt | 11 ++++++++++- Shorewall/shorewall.spec | 4 +++- Shorewall/uninstall.sh | 2 +- Shorewall6-lite/install.sh | 2 +- Shorewall6-lite/shorewall6-lite.spec | 4 +++- Shorewall6-lite/uninstall.sh | 2 +- Shorewall6/install.sh | 2 +- Shorewall6/shorewall6.spec | 4 +++- Shorewall6/uninstall.sh | 2 +- 18 files changed, 40 insertions(+), 17 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 2f573b39c..67a381c4d 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -23,7 +23,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall-init/shorewall-init.spec b/Shorewall-init/shorewall-init.spec index 7d5c11bdc..a11661a92 100644 --- a/Shorewall-init/shorewall-init.spec +++ b/Shorewall-init/shorewall-init.spec @@ -1,6 +1,6 @@ %define name shorewall-init %define version 4.4.19 -%define release 2 +%define release 3 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Name: %{name} @@ -119,6 +119,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat May 07 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-3 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-2 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 3aece0ee8..3b3c437f6 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index f60cae64d..79fda6da6 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 7c294fb23..3ee974e13 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,6 +1,6 @@ %define name shorewall-lite %define version 4.4.19 -%define release 2 +%define release 3 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Name: %{name} @@ -103,6 +103,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat May 07 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-3 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-2 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index ba4b027ac..57019d189 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index c7fc044ac..15146e282 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -412,7 +412,7 @@ sub initialize( $ ) { EXPORT => 0, STATEMATCH => '-m state --state', UNTRACKED => 0, - VERSION => "4.4.19.2", + VERSION => "4.4.19.3", CAPVERSION => 40417 , ); # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 64ae4476d..4b3f10bdf 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.19.3 + +1) Eliminate issue with 'gawk'. + Changes in Shorewall 4.4.19.2 1) Restore the ability to have IPSET names in the ORIGINAL DEST column diff --git a/Shorewall/install.sh b/Shorewall/install.sh index e398469ca..3fc0ec563 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index be63ef0d4..5799903fa 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 9 . 2 + S H O R E W A L L 4 . 4 . 1 9 . 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -13,6 +13,15 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.19.3 + +1) The changes in 4.4.19.1 that corrected long-standing issues with + default route save/restore were incompatible with 'gawk'. When + 'gawk' was installed (rather than 'mawk'), awk syntax errors having + to do with the symbol 'default' were issued. + + This incompatibility has been corrected. + 4.4.19.2 1) In Shorewall-shell, there was the ability to specify IPSET names in diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 67111feb4..0e984005c 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 4.4.19 -%define release 2 +%define release 3 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Name: %{name} @@ -109,6 +109,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %changelog +* Sat May 07 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-3 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-2 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index 0f2d287c1..7a5c673c9 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall6-lite/install.sh b/Shorewall6-lite/install.sh index f74a3180d..4b333380e 100755 --- a/Shorewall6-lite/install.sh +++ b/Shorewall6-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall6-lite/shorewall6-lite.spec b/Shorewall6-lite/shorewall6-lite.spec index 4f00a484a..8dfbe0efd 100644 --- a/Shorewall6-lite/shorewall6-lite.spec +++ b/Shorewall6-lite/shorewall6-lite.spec @@ -1,6 +1,6 @@ %define name shorewall6-lite %define version 4.4.19 -%define release 2 +%define release 3 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -94,6 +94,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Sat May 07 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-3 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-2 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index aa68dd84c..c49d02d96 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh index 43564dd44..af98f7aad 100755 --- a/Shorewall6/install.sh +++ b/Shorewall6/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { diff --git a/Shorewall6/shorewall6.spec b/Shorewall6/shorewall6.spec index ddb9c4e1f..506c3b1da 100644 --- a/Shorewall6/shorewall6.spec +++ b/Shorewall6/shorewall6.spec @@ -1,6 +1,6 @@ %define name shorewall6 %define version 4.4.19 -%define release 2 +%define release 3 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Name: %{name} @@ -98,6 +98,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %changelog +* Sat May 07 2011 Tom Eastep tom@shorewall.net +- Updated to 4.4.19-3 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net - Updated to 4.4.19-2 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 4a4eb6e45..70b2975c2 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.4.19.2 +VERSION=4.4.19.3 usage() # $1 = exit status { From 0bfb7ecc6d90be1f715d2a25b99fab8d952ff20a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 May 2011 05:35:03 -0700 Subject: [PATCH 4/5] Ensure route to gateway in the main table --- Shorewall/Perl/Shorewall/Providers.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 759c5f7bb..703e10b03 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -466,6 +466,7 @@ sub add_a_provider( ) { if ( $gateway ) { $address = get_interface_address $interface unless $address; + emit "run_ip route replace $gateway src $address dev $physical ${mtu}"; emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm"; emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm"; } From 15b1371ade1fae2f650d6466c9b4e3c8d2477ad3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 8 May 2011 05:37:49 -0700 Subject: [PATCH 5/5] Fix typo in starting/stopping doc --- docs/starting_and_stopping_shorewall.xml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index cac57573f..99cec08d3 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -652,9 +652,10 @@ firewall stop - Only traffic to/from hosts listed in /etc/shorewall/hosts - is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes - in /etc/shorewall/shorewall.conf then in addition, all existing + Only traffic to/from hosts listed in + /etc/shorewall/routestopped is passed to/from/through the + firewall. If ADMINISABSENTMINDED=Yes in + /etc/shorewall/shorewall.conf then in addition, all existing connections are retained and all connection requests from the firewall are accepted.