From 6cc17e8a329a001d1b02cc160383d491669e894c Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 14 Mar 2007 19:33:31 +0000 Subject: [PATCH] Fix CONTINUE policy bug and document other changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5525 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 6 ++++++ Shorewall/compiler | 4 +++- Shorewall/releasenotes.txt | 40 ++++++++++++++++++++++++++++++-------- 3 files changed, 41 insertions(+), 9 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index d78fa2ea1..82307b8fe 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,12 @@ Changes in 3.4.1 1) Add rest of proxy arp fix. +2) Fix two problems with log-prefix handling. + +3) Nested Zones produced shell errors. + +4) CONTINUE policies generated invalid iptables input. + Changes in 3.4.0 Final 1) Add missing logic for "!" rules. diff --git a/Shorewall/compiler b/Shorewall/compiler index 9b2d51566..a503d7372 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -486,7 +486,7 @@ validate_policy() eval parents=\$${zone}_parents if [ -n "$parents" ]; then for zone1 in $ZONES $FW; do - if $zone != $zone1; then + if [ $zone != $zone1 ]; then chain=${zone}2${zone1} eval ${chain}_is_policy=Yes eval ${chain}_is_optional=Yes @@ -3067,6 +3067,8 @@ policy_rules() # $1 = chain to add rules to REJECT) run_iptables -A $1 -j reject ;; + CONTINUE) + ;; *) run_iptables -A $1 -j $target ;; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 9bdd464c3..aa7be4cef 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -30,14 +30,38 @@ Release Highlights Problems Corrected in 3.4.1 -1) The "shorewall-[lite] [re]start and stop" commands reset the - proxy_arp flag on all interfaces on the system making it impossible - to control proxy arp manually with Shorewall installed. There was a - partial fix included in 3.4.0; unfortunately, it did not correct the - problem completely. Shorewall 3.4.1 includes the rest of the change - necessarey to only clear proxy arp if there were entries in - /etc/shorewall/proxyarp the last time that Shorewall was - [re]started. +1) The "shorewall-[lite] [re]start and stop" commands reset the + proxy_arp flag on all interfaces on the system making it impossible + to control proxy arp manually with Shorewall installed. There was a + partial fix included in 3.4.0; unfortunately, it did not correct the + problem completely. Shorewall 3.4.1 includes the rest of the change + necessarey to only clear proxy arp if there were entries in + /etc/shorewall/proxyarp the last time that Shorewall was + [re]started. + +2) If the log-prefix in a log message exceeded 29 characters, + 'shorewall restart' fails with 'truncate: command not found' and a + possible segmentation fault in iptables. + +3) Log messages specifying a log tag had two spaces appended to the + log prefix. This could cause mysterious "log-prefix truncated" + messages. + +4) When nested zones were defined in the /etc/shorewall/zones file, + shell error messages ( usually ': not found' ) during + compilation resulted. + +5) Use of CONTINUE policies lead to startup errors with a message + such as the following: + + Applying Policies... + iptables v1.3.7: Couldn't load target + `CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open + shared object file: No such file or directory + + Try `iptables -h' or 'iptables --help' for more information. + + ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" Failed Migration Considerations: