From 666727782fc65494609b00b14340c9729faec4b4 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 11 Dec 2004 15:35:24 +0000 Subject: [PATCH] Changes for Shorewall 2.2.0 Beta 8 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1819 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- LrpN/etc/shorewall/interfaces | 2 +- LrpN/etc/shorewall/shorewall.conf | 35 ++ LrpN/sbin/shorewall | 4 +- LrpN/usr/share/shorewall/firewall | 558 ++++++++++++++++-------------- LrpN/usr/share/shorewall/help | 12 +- LrpN/usr/share/shorewall/version | 2 +- Shorewall2/fallback.sh | 2 +- Shorewall2/install.sh | 2 +- Shorewall2/shorewall.spec | 4 +- Shorewall2/uninstall.sh | 2 +- 10 files changed, 357 insertions(+), 266 deletions(-) diff --git a/LrpN/etc/shorewall/interfaces b/LrpN/etc/shorewall/interfaces index 20e08b99f..6388d5cf2 100644 --- a/LrpN/etc/shorewall/interfaces +++ b/LrpN/etc/shorewall/interfaces @@ -29,7 +29,7 @@ # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this -# column is left black.If the interface has multiple +# column is left blank.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # diff --git a/LrpN/etc/shorewall/shorewall.conf b/LrpN/etc/shorewall/shorewall.conf index 19efef986..a5830e754 100755 --- a/LrpN/etc/shorewall/shorewall.conf +++ b/LrpN/etc/shorewall/shorewall.conf @@ -697,6 +697,41 @@ DYNAMIC_ZONES=No # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed. PKTTYPE=Yes + +# +# DROP INVALID PACKETS +# +# Netfilter classifies packets relative to its connection tracking table into +# four states: +# +# NEW - thes packet initiates a new connection +# ESTABLISHED - thes packet is part of an established connection +# RELATED - thes packet is related to an established connection; it may +# establish a new connection +# INVALID - the packet does not related to the table in any sensible way. +# +# Recent 2.6 kernels include code that evaluates TCP packets based on TCP +# Window analysis. This can cause packets that were previously classified as +# NEW or ESTABLISHED to be classified as INVALID. +# +# The new kernel code can be disabled by including this command in your +# /etc/shorewall/init file: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal +# +# Additional kernel logging about INVALID TCP packets may be obtained by +# adding this command to /etc/shorewall/init: +# +# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid +# +# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID +# option allows INVALID packets to be passed through the normal rules chains by +# setting DROPINVALID=No. +# +# If not specified or if specified as empty (e.g., DROPINVALID="") then +# DROPINVALID=Yes is assumed. + +DROPINVALID=No ################################################################################ # P A C K E T D I S P O S I T I O N ################################################################################ diff --git a/LrpN/sbin/shorewall b/LrpN/sbin/shorewall index ebebb2fd7..2043cd9d2 100755 --- a/LrpN/sbin/shorewall +++ b/LrpN/sbin/shorewall @@ -867,8 +867,8 @@ case "$1" in exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 ;; add|delete) - [ $# -ne 3 ] && usage 1 - exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3 + [ $# -lt 3 ] && usage 1 + exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@ ;; show|list) [ -n "$debugging" ] && set -x diff --git a/LrpN/usr/share/shorewall/firewall b/LrpN/usr/share/shorewall/firewall index e60a51520..ab7dc9315 100755 --- a/LrpN/usr/share/shorewall/firewall +++ b/LrpN/usr/share/shorewall/firewall @@ -3609,7 +3609,7 @@ process_actions3() { dropInvalid) if [ "$COMMAND" != check ]; then [ -n "$xlevel" ] && \ - log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -A -m state --state INVALID + log_rule_limit ${xlevel%\!} $xchain dropInvalid $2 "" "$xtag" -A -m state --state INVALID run_iptables -A $xchain -m state --state INVALID -j DROP fi ;; @@ -5622,12 +5622,13 @@ initialize_netfilter () { [ -f $accounting_file ] && setup_accounting $accounting_file # - # Allow DNS lookups during startup for FQDNs and deep-six INVALID packets + # Allow DNS lookups during startup for FQDNs # for chain in INPUT OUTPUT FORWARD; do run_iptables -A $chain -p udp --dport 53 -j ACCEPT - run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP + [ -n "$DROPINVALID" ] && \ + run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP done if [ -n "$CLAMPMSS" ]; then @@ -5785,7 +5786,7 @@ add_common_rules() { network=${host#*:} for chain in $(first_chains $interface); do - run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) $policy -j smurfs + run_iptables -A $chain -m state --state NEW,INVALID $(match_source_hosts $network) $policy -j smurfs done done fi @@ -6276,8 +6277,16 @@ activate_rules() if [ -n "$POLICY_MATCH" ]; then eval is_ipsec=\$${zone}_is_ipsec - [ -n "$is_ipsec" ] && eval source_hosts=\$${zone}_hosts || eval source_hosts=\$${zone}_ipsec_hosts - + if [ -n "$is_ipsec" ]; then + eval source_hosts=\$${zone}_hosts + if [ -n "$DYNAMIC_ZONES" ]; then + createchain ${zone}_dyn No + run_iptables -A $frwd_chain -j ${zone}_dyn + fi + else + eval source_hosts=\$${zone}_ipsec_hosts + fi + for host in $source_hosts; do interface=${host%%:*} networks=${host#*:} @@ -6636,11 +6645,11 @@ refresh_firewall() # # Add a host or networks to a zone # -add_to_zone() # $1 = [:] $2 = zone +add_to_zone() # $1...${n-1} = [:] $n = zone { - local base interface host newhost zone z h z1 z2 chain terminator + local interface host zone z h z1 z2 chain local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces - local rulenum source_chain dest_hosts iface hosts is_ipsec policyin= policyout= + local rulenum source_chain dest_hosts iface hosts hostlist= nat_chain_exists() # $1 = chain name { @@ -6653,17 +6662,10 @@ add_to_zone() # $1 = [:] $2 = zone [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange if ! $IPTABLES $@ ; then - startup_error "Can't add $1 to zone $2" + error_message "Can't add $newhost to zone $zone" fi } - # - # Isolate interface and host parts - # - interface=${1%%:*} - host=${1#*:} - - [ -z "$host" ] && host="0.0.0.0/0" # # Load $zones # @@ -6673,74 +6675,260 @@ add_to_zone() # $1 = [:] $2 = zone # validate_interfaces_file # + # Validate Hosts File + # + validate_hosts_file + # # Validate IPSec File # f=$(find_file ipsec) - if [ -f $f ]; then - progress_message "Processing $f..." - setup_ipsec $f - fi + [ -f $f ] && setup_ipsec $f + # + # Normalize host list + # + while [ $# -gt 1 ]; do + interface=${1%%:*} + host=${1#*:} + # + # Be sure that the interface was dynamic at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi + + if [ -z "$host" ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + for h in $(separate_list $host); do + hostlist="$hostlist $interface:$h" + done + fi + + shift + done # # Validate Zone # - zone=$2 + zone=$1 validate_zone $zone || startup_error "Unknown zone: $zone" [ "$zone" = $FW ] && startup_error "Can't add $1 to firewall zone" - eval is_ipsec=\$${zone}_is_ipsec - eval options=\"\$${zone}_ipsec_options\" - eval in_options=\"\$${zone}_ipsec_in_options\" - eval out_options=\"\$${zone}_ipsec_out_options\" - - if [ -n "$is_ipsec" ]; then - [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support" - policyin="-m policy --pol ipsec --dir in $options $in_options" - policyout="-m policy --pol ipsec --dir out $options $out_options" - elif [ -n "$POLICY_MATCH" ]; then - policyin="-m policy --pol none --dir in" - policyout="-m policy --pol none --dir out" - fi # # Be sure that Shorewall has been restarted using a DZ-aware version of the code # [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" # - # Be sure that the interface was dynamic at last [re]start + # Check for duplicates and create a new zone state file # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi + > ${STATEDIR}/zones_$$ - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" - fi - # - # Normalize the first argument to this function - # - newhost="$interface:$host" + while read z hosts; do + if [ "$z" = "$zone" ]; then + for h in $hosts; do + for host in $hostlist; do + if [ "$h" = "$host" ]; then + rm -f ${STATEDIR}/zones_$$ + startup_error "$host already in zone $zone" + fi + done + done + + [ -z "$hosts" ] && hosts=$hostlist || hosts="$hosts $hostlist" + fi + + eval ${z}_hosts=\"$hosts\" + + echo "$z $hosts" >> ${STATEDIR}/zones_$$ + done < ${STATEDIR}/zones + + mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones terminator=fatal_error # # Create a new Zone state file # + for newhost in $hostlist; do + # + # Isolate interface and host parts + # + interface=${newhost%%:*} + host=${newhost#*:} + # + # If the zone passed in the command has a dnat chain then insert a rule in + # the nat table PREROUTING chain to jump to that chain when the source + # matches the new host(s)# + # + chain=${zone}_dnat + + if nat_chain_exists $chain; then + do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $(match_ipsec_in $zone $newhost) -j $chain + fi + # + # Insert new rules into the filter table for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain + else + source_chain=$(dynamic_fwd $interface) + if is_ipsec_host $z1 $newhost ; then + do_iptables -A $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd + else + eval dest_hosts=\"\$${z2}_hosts\" + + for h in $dest_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain + fi + done + fi + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + # + # Add a rule to the dynamic out chain for the interface + # + do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + if is_ipsec_host $z1 $h; then + do_iptables -A ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + else + do_iptables -A $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain + fi + fi + done + fi + fi + done < ${STATEDIR}/chains + + progress_message "$newhost added to zone $zone" + + done + + rm -rf $TMP_DIR +} + +# +# Delete a host or networks from a zone +# +delete_from_zone() # $1 = [:] $2 = zone +{ + local interface host zone z h z1 z2 chain delhost + local dhcp_interfaces blacklist_interfaces maclist_interfaces tcpflags_interfaces + local rulenum source_chain dest_hosts iface hosts hostlist= + + # + # Load $zones + # + determine_zones + # + # Validate Interfaces File + # + validate_interfaces_file + # + # Validate Hosts File + # + validate_hosts_file + # + # Validate IPSec File + # + f=$(find_file ipsec) + + [ -f $f ] && setup_ipsec $f + + # + # Normalize host list + # + while [ $# -gt 1 ]; do + interface=${1%%:*} + host=${1#*:} + # + # Be sure that the interface was dynamic at last [re]start + # + if ! chain_exists $(input_chain $interface) ; then + startup_error "Unknown interface $interface" + fi + + if ! chain_exists $(dynamic_in $interface) ; then + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" + fi + + if [ -z "$host" ]; then + hostlist="$hostlist $interface:0.0.0.0/0" + else + for h in $(separate_list $host); do + hostlist="$hostlist $interface:$h" + done + fi + + shift + done + # + # Validate Zone + # + zone=$1 + + validate_zone $zone || startup_error "Unknown zone: $zone" + + [ "$zone" = $FW ] && startup_error "Can't delete from the firewall zone" + + # + # Be sure that Shorewall has been restarted using a DZ-aware version of the code + # + [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" + [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" + # + # Delete the passed hosts from the zone state file + # > ${STATEDIR}/zones_$$ - # - # Add $1 to the Zone state file - # + while read z hosts; do if [ "$z" = "$zone" ]; then - for h in $hosts; do - if [ "$h" = "$newhost" ]; then - rm -f ${STATEDIR}/zones_$$ - startup_error "$1 already in zone $zone" - fi + temp=$hosts + hosts= + + for host in $hostlist; do + found= + for h in $temp; do + if [ "$h" = "$host" ]; then + found=Yes + break + fi + done + + [ -n "$found" ] || error_message "Warning: $1 does not appear to be in zone $2" done - [ -z "$hosts" ] && hosts=$newhost || hosts="$hosts $newhost" + for h in $temp; do + found= + for host in $hostlist; do + if [ "$h" = "$host" ]; then + found=Yes + break + fi + done + + [ -n "$found" ] || hosts="$hosts $h" + done fi eval ${z}_hosts=\"$hosts\" @@ -6749,207 +6937,69 @@ add_to_zone() # $1 = [:] $2 = zone done < ${STATEDIR}/zones mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - # - # If the zone passed in the command has a dnat chain then insert a rule in - # the nat table PREROUTING chain to jump to that chain when the source - # matches the new host(s)# - # - chain=${zone}_dnat - - if nat_chain_exists $chain; then - do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain - fi - # - # Insert new rules into the filter table for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain - else - source_chain=$(dynamic_fwd $interface) - eval dest_hosts=\"\$${z2}_hosts\" - - for h in $dest_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain - fi - done - fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - # - # Add a rule to the dynamic out chain for the interface - # - do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} - - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain - fi - done - fi - fi - done < ${STATEDIR}/chains - - rm -rf $TMP_DIR - - progress_message "$1 added to zone $2" -} - -# -# Delete a host or networks from a zone -# -delete_from_zone() # $1 = [:] $2 = zone -{ - # - # Delete the subject host(s) from the zone state file - # - delete_from_zones_file() - { - > ${STATEDIR}/zones_$$ - - while read z hosts; do - if [ "$z" = "$zone" ]; then - temp=$hosts - hosts= - - for h in $temp; do - if [ "$h" = "$delhost" ]; then - echo Yes - else - hosts="$hosts $h" - fi - done - fi - - echo "$z $hosts" >> ${STATEDIR}/zones_$$ - done < ${STATEDIR}/zones - - mv -f ${STATEDIR}/zones_$$ ${STATEDIR}/zones - } - # - # Isolate interface and host parts - # - interface=${1%%:*} - host=${1#*:} - - [ -z "$host" ] && host="0.0.0.0/0" - # - # Load $zones - # - determine_zones - - f=$(find_file ipsec) - if [ -f $f ]; then - progress_message "Processing $f..." - setup_ipsec $f - fi - - zone=$2 - - validate_zone $zone || startup_error "Unknown zone: $zone" - - [ "$zone" = $FW ] && startup_error "Can't remove $1 from firewall zone" - - eval is_ipsec=\$${zone}_is_ipsec - eval options=\"\$${zone}_ipsec_options\" - eval in_options=\"\$${zone}_ipsec_in_options\" - eval out_options=\"\$${zone}_ipsec_out_options\" - - if [ -n "$is_ipsec" ]; then - [ -n "$POLICY_MATCH" ] || startup_error "Your kernel and/or iptables lacks policy match support" - policyin="-m policy --pol ipsec --dir in $options $in_options" - policyout="-m policy --pol ipsec --dir out $options $out_options" - elif [ -n "$POLICY_MATCH" ]; then - policyin="-m policy --pol none --dir in" - policyout="-m policy --pol none --dir out" - fi - # - # Be sure that Shorewall has been restarted using a DZ-aware version of the code - # - [ -f ${STATEDIR}/chains ] || startup_error "${STATEDIR}/chains -- file not found" - [ -f ${STATEDIR}/zones ] || startup_error "${STATEDIR}/zones -- file not found" - # - # Be sure that the interface was present at last [re]start - # - if ! chain_exists $(input_chain $interface) ; then - startup_error "Unknown interface $interface" - fi - - if ! chain_exists $(dynamic_in $interface) ; then - startup_error "Interface $interface is not dynamic" - fi - # - # Normalize the first argument to this function - # - delhost="$interface:$host" - # - # Delete the passed hosts from the zone state file - # - [ -z "$(delete_from_zones_file)" ] && \ - error_message "Warning: $1 does not appear to be in zone $2" - # - # Construct the zone host maps - # - while read z hosts; do - eval ${z}_hosts=\"$hosts\" - done < ${STATEDIR}/zones terminator=fatal_error - # - # Delete any nat table entries for the host(s) - # - qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j ${zone}_dnat - # - # Delete rules rules the input chains for the passed interface - # - while read z1 z2 chain; do - if [ "$z1" = "$zone" ]; then - if [ "$z2" = "$FW" ]; then - qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain - else - source_chain=$(dynamic_fwd $interface) - eval dest_hosts=\"\$${z2}_hosts\" - for h in $dest_hosts $delhost; do - iface=${h%%:*} - hosts=${h#*:} + for delhost in $hostlist; do + interface=${delhost%%:*} + host=${delhost#*:} + # + # Delete any nat table entries for the host(s) + # + qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $zone $delhost) -j ${zone}_dnat + # + # Delete rules rules the input chains for the passed interface + # + while read z1 z2 chain; do + if [ "$z1" = "$zone" ]; then + if [ "$z2" = "$FW" ]; then + qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $delhost) -j $chain + else + source_chain=$(dynamic_fwd $interface) + if is_ipsec_host $z1 $delhost ; then + qt_iptables -D $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd + else + eval dest_hosts=\"\$${z2}_hosts\" - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain + [ "$z2" = "$zone" ] && dest_hosts="$dest_hosts $hostlist" + + for h in $dest_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain + fi + done fi - done + fi + elif [ "$z2" = "$zone" ]; then + if [ "$z1" = "$FW" ]; then + qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + else + eval source_hosts=\"\$${z1}_hosts\" + + for h in $source_hosts; do + iface=${h%%:*} + hosts=${h#*:} + + if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then + if is_ipsec_host $z1 $h; then + qt_iptables -D ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + else + qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $delhost) -j $chain + fi + fi + done + fi fi - elif [ "$z2" = "$zone" ]; then - if [ "$z1" = "$FW" ]; then - qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain - else - eval source_hosts=\"\$${z1}_hosts\" - - for h in $source_hosts; do - iface=${h%%:*} - hosts=${h#*:} + done < ${STATEDIR}/chains - if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then - qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain - fi - done - fi - fi - done < ${STATEDIR}/chains + progress_message "$delhost removed from zone $zone" + done + rm -rf $TMP_DIR - - progress_message "$1 removed from zone $2" } # @@ -7066,6 +7116,7 @@ do_initialize() { DELAYBLACKLISTLOAD= LOGTAGONLY= LOGALLNEW= + DROPINVALID= RESTOREBASE= TMP_DIR= @@ -7121,7 +7172,7 @@ do_initialize() { ensure_config_path # # Determine the capabilities of the installed iptables/netfilter - # We load the kernel modules here to acurately determine + # We load the kernel modules here to acuray determine # capabilities when module autoloading isn't enabled. # @@ -7260,6 +7311,7 @@ do_initialize() { RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD) LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY) + DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) # # Strip the files that we use often # @@ -7406,7 +7458,7 @@ case "$COMMAND" in ;; add) - [ $# -ne 3 ] && usage + [ $# -lt 3 ] && usage do_initialize my_mutex_on if ! qt $IPTABLES -L shorewall -n ; then @@ -7415,12 +7467,13 @@ case "$COMMAND" in my_mutex_off exit 2; fi - add_to_zone $2 $3 + shift + add_to_zone $@ my_mutex_off ;; delete) - [ $# -ne 3 ] && usage + [ $# -lt 3 ] && usage do_initialize my_mutex_on if ! qt $IPTABLES -L shorewall -n ; then @@ -7429,7 +7482,8 @@ case "$COMMAND" in my_mutex_off exit 2; fi - delete_from_zone $2 $3 + shift + delete_from_zone $@ my_mutex_off ;; diff --git a/LrpN/usr/share/shorewall/help b/LrpN/usr/share/shorewall/help index 61551ab34..63b87f2e6 100755 --- a/LrpN/usr/share/shorewall/help +++ b/LrpN/usr/share/shorewall/help @@ -29,10 +29,10 @@ case $1 in add) - echo "add: add [:][:] - Adds a host or subnet to a dynamic zone usually used with VPN's. + echo "add: add [:][:] ... + Adds a list of hosts or subnets to a dynamic zone usually used with VPN's. - shorewall add interface[:host] zone - Adds the specified interface + shorewall add interface[:][:host-list] ... zone - Adds the specified interface (and bridge port/host if included) to the specified zone. Example: @@ -95,11 +95,11 @@ debug) ;; delete) - echo "delete: delete [:][:] + echo "delete: delete [:][:] ... Deletes a host or subnet from a dynamic zone usually used with VPN's. - shorewall delete interface[:port][:host] zone - Deletes the specified - interface (and bridge port/host if included) from the specified zone. + shorewall delete interface[:port][:host-list] ... zone - Deletes the specified + interfaces (and bridge ports/hosts if included) from the specified zone. Example: diff --git a/LrpN/usr/share/shorewall/version b/LrpN/usr/share/shorewall/version index 9d7c5ddc1..3e2e9939a 100644 --- a/LrpN/usr/share/shorewall/version +++ b/LrpN/usr/share/shorewall/version @@ -1 +1 @@ -2.2.0-Beta7 +2.2.0-Beta8 diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh index 4ba2a358b..abe692da6 100755 --- a/Shorewall2/fallback.sh +++ b/Shorewall2/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=2.2.0-Beta7 +VERSION=2.2.0-Beta8 usage() # $1 = exit status { diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh index a56fa231f..bb92a6a62 100755 --- a/Shorewall2/install.sh +++ b/Shorewall2/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=2.2.0-Beta7 +VERSION=2.2.0-Beta8 usage() # $1 = exit status { diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec index 85c748fd7..e6d59a818 100644 --- a/Shorewall2/shorewall.spec +++ b/Shorewall2/shorewall.spec @@ -1,6 +1,6 @@ %define name shorewall %define version 2.2.0 -%define release 0Beta7 +%define release 0Beta8 %define prefix /usr Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -137,6 +137,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Sat Dec 11 2004 Tom Eastep tom@shorewall.net +- Updated to 2.2.0-0Beta8 * Mon Nov 29 2004 Tom Eastep tom@shorewall.net - Updated to 2.2.0-0Beta7 * Fri Nov 26 2004 Tom Eastep tom@shorewall.net diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh index 4393762a8..e0db83b6d 100755 --- a/Shorewall2/uninstall.sh +++ b/Shorewall2/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=2.2.0-Beta7 +VERSION=2.2.0-Beta8 usage() # $1 = exit status {