Merge branch '4.4.19' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.19

2011-05-08 05:59:13 -07:00 · 2011-05-08 05:59:13 -07:00 · 631a2a7092
commit 631a2a7092
parent 1685fc116e 15b1371ade
23 changed files with 69 additions and 44 deletions
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.19
-%define release 2
+%define release 3
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@ -119,6 +119,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sat May 07 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-3
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.19
-%define release 2
+%define release 3
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -103,6 +103,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sat May 07 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-3
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -2870,7 +2870,7 @@ sub conditional_rule_end( $ ) {
    add_commands( $chainref , "fi\n" );
 }	
-sub mysplit( $$ );
+sub mysplit( $;$ );
 #
 # Match a Source.
@ -3229,7 +3229,7 @@ sub addnatjump( $$$ ) {
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
 # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
-sub mysplit( $$ ) {
+sub mysplit( $;$ ) {
    my ( $input, $loose ) = @_;
    my @input = split_list $input, 'host';
@ -3638,7 +3638,7 @@ sub handle_network_list( $$ ) {
    my $nets = '';
    my $excl = '';
-    my @nets = mysplit $list, 0;
+    my @nets = mysplit $list;
    for ( @nets ) {
 	if ( /!/ ) {
@ -3954,7 +3954,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    }
 	    unless ( $onets ) {
-		my @oexcl = mysplit $oexcl, 0;
+		my @oexcl = mysplit $oexcl;
 		if ( @oexcl == 1 ) {
 		    $rule .= match_orig_dest( "!$oexcl" );
 		    $oexcl = '';
@ -4029,19 +4029,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
-	    for ( mysplit $iexcl, 0 ) {
+	    for ( mysplit $iexcl ) {
 		my $cond = conditional_rule( $chainref, $_ );
 		add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
 		conditional_rule_end( $chainref ) if $cond;
 	    }
-	    for ( mysplit $dexcl, 0 ) {
+	    for ( mysplit $dexcl ) {
 		my $cond = conditional_rule( $chainref, $_ );
 		add_rule $chainref, ( match_dest_net $_ ) . $exclude;
 		conditional_rule_end( $chainref ) if $cond;
 	    }
-	    for ( mysplit $oexcl, 0 ) {
+	    for ( mysplit $oexcl ) {
 		my $cond = conditional_rule( $chainref, $_ );
 		add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
 		conditional_rule_end( $chainref ) if $cond;
@ -4060,19 +4060,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Use the current rule and send all possible matches to the exclusion chain
 	    #
-	    for my $onet ( mysplit $onets , 0 ) {
+	    for my $onet ( mysplit $onets ) {
 		my $cond = conditional_rule( $chainref, $onet );
 		$onet = match_orig_dest $onet;
-		for my $inet ( mysplit $inets , 0 ) {
+		for my $inet ( mysplit $inets ) {
 		    my $cond = conditional_rule( $chainref, $inet );
 		    my $source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' );
-		    for my $dnet ( mysplit $dnets , 0 ) {
+		    for my $dnet ( mysplit $dnets ) {
 			$source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' );
 			add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
 		    }
@ -4085,19 +4085,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Generate RETURNs for each exclusion
 	    #
-	    for ( mysplit $iexcl , 0 ) {
+	    for ( mysplit $iexcl ) {
 		my $cond = conditional_rule( $echainref, $_ );
 		add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
 		conditional_rule_end( $echainref ) if $cond;
 	    }
-	    for ( mysplit $dexcl , 0 ) {
+	    for ( mysplit $dexcl ) {
 		my $cond = conditional_rule( $echainref, $_ );
 		add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN';
 		conditional_rule_end( $echainref ) if $cond;
 	    }
-	    for ( mysplit $oexcl , 0 ) {
+	    for ( mysplit $oexcl ) {
 		my $cond = conditional_rule( $echainref, $_ );
 		add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
 		conditional_rule_end( $echainref ) if $cond;
@ -4127,19 +4127,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	#
 	# No non-trivial exclusions or we're using marks to handle them
 	#
-	for my $onet ( mysplit $onets , 0 ) {
+	for my $onet ( mysplit $onets ) {
 	    my $cond = conditional_rule( $chainref, $onet );
 	    $onet = match_orig_dest $onet;
-	    for my $inet ( mysplit $inets , 0 ) {
+	    for my $inet ( mysplit $inets ) {
 		my $source_match;
 		my $cond = conditional_rule( $chainref, $inet );
 		$source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' );
-		for my $dnet ( mysplit $dnets , 0 ) {
+		for my $dnet ( mysplit $dnets ) {
 		    $source_match  = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' );
 		    my $dest_match = match_dest_net( $dnet );
 		    my $matches = join( '', $rule, $source_match, $dest_match, $onet );
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -412,7 +412,7 @@ sub initialize( $ ) {
 		    EXPORT     => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.19.2",
+		    VERSION    => "4.4.19.3",
 		    CAPVERSION => 40417 ,
 		  );
    #
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -466,6 +466,7 @@ sub add_a_provider( ) {
    if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
 	emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
 	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
    }
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@ -509,10 +509,10 @@ undo_routing() {
 #
 save_default_route() {
    awk \
-    'BEGIN        {default=0;}; \
+    'BEGIN        {defroute=0;};
-     /^default /  {default=1; print; next}; \
+     /^default /  {deroute=1; print; next};
-     /nexthop/    {if (default == 1 ) {print ; next} }; \
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { default=0; };'
+                  { defroute=0; };'
 }
 #
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@ -497,10 +497,10 @@ undo_routing() {
 #
 save_default_route() {
    awk \
-    'BEGIN        {default=0;}; \
+    'BEGIN        {defroute=0;};
-     /^default /  {default=1; print; next}; \
+     /^default /  {defroute=1; print; next};
-     /nexthop/    {if (default == 1 ) {print ; next} }; \
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { default=0; };'
+                  { defroute=0; };'
 }
 #
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,7 @@
 Changes in Shorewall 4.4.19.3
 1)  Eliminate issue with 'gawk'.
 Changes in Shorewall 4.4.19.2
 1)  Restore the ability to have IPSET names in the ORIGINAL DEST column
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 9 . 2
+                      S H O R E W A L L  4 . 4 . 1 9 . 3
 ----------------------------------------------------------------------------
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@ -13,6 +13,15 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 4.4.19.3
 1)  The changes in 4.4.19.1 that corrected long-standing issues with
    default route save/restore were incompatible with 'gawk'. When
    'gawk' was installed (rather than 'mawk'), awk syntax errors having
    to do with the symbol 'default' were issued.
    This incompatibility has been corrected.
 4.4.19.2
 1)  In Shorewall-shell, there was the ability to specify IPSET names in
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.19
-%define release 2
+%define release 3
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -109,6 +109,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 %changelog
 * Sat May 07 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-3
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.19
-%define release 2
+%define release 3
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -94,6 +94,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sat May 07 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-3
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.19
-%define release 2
+%define release 3
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -98,6 +98,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
 * Sat May 07 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-3
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19.2
+VERSION=4.4.19.3
 usage() # $1 = exit status
 {
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@ -652,9 +652,10 @@
            <entry>firewall stop</entry>
-            <entry>Only traffic to/from hosts listed in /etc/shorewall/hosts
+            <entry>Only traffic to/from hosts listed in
-            is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes
+            /etc/shorewall/routestopped is passed to/from/through the
-            in /etc/shorewall/shorewall.conf then in addition, all existing
+            firewall. If ADMINISABSENTMINDED=Yes in
            /etc/shorewall/shorewall.conf then in addition, all existing
            connections are retained and all connection requests from the
            firewall are accepted.</entry>
          </row>