Merge branch 'master' into 5.2.4

# Conflicts: # Shorewall/Perl/Shorewall/Config.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>
2020-03-06 13:07:00 -08:00 · 2020-03-06 13:07:00 -08:00 · 639dc86e1b
commit 639dc86e1b
parent f221ca290f fa1aa4b481
14 changed files with 48 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
-*targetname
--- a/Shorewall-core/Shorewall-core-targetname
+++ b/Shorewall-core/Shorewall-core-targetname
@ -0,0 +1 @@
+5.2.3.7
--- a/Shorewall-lite/Shorewall-lite-targetname
+++ b/Shorewall-lite/Shorewall-lite-targetname
@ -0,0 +1 @@
+5.2.3.7
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@ -114,8 +114,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {

 if ( $command & $RESET_CMD ) {
    require_capability 'MARK_ANYWHERE', '"reset"', 's';
-
-    print "Resetting....\n";
    
    my $mark = $globals{EVENT_MARK};
    #
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -9264,7 +9264,7 @@ sub create_netfilter_load( $ ) {
 			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -270,8 +270,8 @@ sub generate_script_2() {
 	    );
 	emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
 	emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION && dockeriso=Yes' );
-	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
    }

    pop_indent;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -5274,7 +5274,7 @@ sub require_mangle_capability( $$$ ) {
    if ( $config{MANGLE_ENABLED} ) {
 	&require_capability( @_ );
    } else {
-	fatal_error "$description " . ( $singular ?  'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{product}.conf";
+	fatal_error "$description " . ( $singular ?  'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
    }
 }

@ -6959,9 +6959,7 @@ sub get_configuration( $$$ ) {
    }

    default 'RESTOREFILE'           , 'restore';
-
    default 'DROP_DEFAULT'          , 'none';
-
    default 'REJECT_DEFAULT'        , 'none';
    default 'BLACKLIST_DEFAULT'     , 'none';
    default 'QUEUE_DEFAULT'         , 'none';
@ -7026,9 +7024,8 @@ sub get_configuration( $$$ ) {

    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's'                 ) if $config{MACLIST_TTL};
-
-    require_mangle_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_mangle_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's'        ) if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'             ) if $config{TC_ENABLED};

    if ( $config{WARNOLDCAPVERSION} ) {
 	if ( $capabilities{CAPVERSION} ) {
--- a/Shorewall/Shorewall-targetname
+++ b/Shorewall/Shorewall-targetname
@ -0,0 +1 @@
+5.2.3.7
--- a/Shorewall6-lite/Shorewall-lite6-lite-targetname
+++ b/Shorewall6-lite/Shorewall-lite6-lite-targetname
--- a/Shorewall6-lite/Shorewall6-lite-targetname
+++ b/Shorewall6-lite/Shorewall6-lite-targetname
@ -0,0 +1 @@
+5.2.3.7
--- a/Shorewall6/Shorewall6-targetname
+++ b/Shorewall6/Shorewall6-targetname
@ -0,0 +1 @@
+5.2.3.7
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@ -13,6 +13,10 @@

        <surname>Eastep</surname>
      </author>
+
+      <author>
+        <surname>J Cliff Armstrong</surname>
+      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
@ -20,6 +24,8 @@
    <copyright>
      <year>2016</year>

+      <year>2020</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@ -57,6 +63,35 @@
    <command>restart</command> or <command>reload</command> operation and
    restores those rules along with the Shorewall-generated ruleset.</para>

+    <important>
+      <para>Shorewall currently doesn't support Docker Swarm mode.</para>
+    </important>
+
+    <warning>
+      <para>On Debian and Debian-derived systems, <command>systemctl restart
+      shorewall</command> will lose Docker rules. You can work around this
+      issue using a method provided by J Cliff Armstrong:</para>
+
+      <para>Type as root:</para>
+
+      <programlisting><command>systemctl edit shorewall.service</command></programlisting>
+
+      <para>This will open the default terminal editor to a blank file in
+      which you can paste the following:</para>
+
+      <programlisting>[Service]
+# reset ExecStop
+ExecStop=
+# set ExecStop to "stop" instead of "clear"
+ExecStop=/sbin/shorewall $OPTIONS stop
+</programlisting>
+
+      <para> Then type <command>systemctl daemon-reload </command>to activate
+      the changes. This change will survive future updates of the shorewall
+      package from apt repositories. The override file itself will be saved to
+      `/etc/systemd/system/shorewall.service.d/`. </para>
+    </warning>
+
    <para>This support assumes that the default Docker bridge (docker0) is
    being used. It is recommended that this bridge be defined to Shorewall in
    <ulink
--- a/docs/docs-targetname
+++ b/docs/docs-targetname
@ -0,0 +1 @@
+5.2.3.7
--- a/docs/images/docs-images-targetname
+++ b/docs/images/docs-images-targetname
@ -0,0 +1 @@
+5.2.3.7