From 6e73d52321f65cac78bf0079c5726328f8cc4e30 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 6 Jul 2007 15:22:57 +0000 Subject: [PATCH] Fix ZONE type check in tunnels file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6795 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 4 +++ Shorewall-common/releasenotes.txt | 56 +++++++---------------------- Shorewall-perl/Shorewall/Tunnels.pm | 7 ++-- web/shorewall_index.htm | 12 +++---- 4 files changed, 27 insertions(+), 52 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index bb8f6d5dd..4a161af07 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,7 @@ +Changes in 4.0.0 RC 2 + +1) Fix zone type check in Tunnels File. + Changes in 4.0.0 RC 1 1) shorewall-perl RPM no longer installable under shorewall 3.4. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 56eff5453..3bdef4d4f 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 4.0.0 RC 1 +Shorewall 4.0.0 RC 2 ---------------------------------------------------------------------------- R E L E A S E H I G H L I G H T S ---------------------------------------------------------------------------- @@ -12,9 +12,12 @@ Shorewall 4.0.0 RC 1 - Shorewall-shell ( the shell-based compiler ) - Shorewall-perl (the Perl-based compiler ) - You must install Shorewall-common and at least one of the compiler - packages (you may install them both). See the Migration - Considerations below for further information. + You must install at least one of the compiler packages (you may + install them both) along with Shorewall-common. + + YOU DO NOT NEED TO UNINSTALL ANY OF YOUR CURRENT PACKAGES. + + See the Migration Considerations below for further information. 3) The facilities for supporting bridge/firewalls under earlier releases are deprecated and their documentation is omitted from the @@ -22,49 +25,14 @@ Shorewall 4.0.0 RC 1 Shorewall-perl compiler. This support utilizes the reduced-function physdev match support available in Linux kernel 2.6.20 and later. -Problems corrected in 4.0.0 RC 1. +Problems corrected in 4.0.0 RC 2. -1) If 'routeback' and 'detectnets' were specified on an interface, - limited broadcasts (to 255.255.255.255) and multicasts were dropped - when forwarded through the interface. This could cause broadcast - and multicast based applications to fail when running through a - bridge with 'detectnets'. +1) Shorewall-perl now correctly permits zones of type 'ipsec' in the + ZONE column of /etc/shorewall/tunnels. -2) Entries in the hosts file are now more carefully validated by - Shorewall-perl. Previously, very obvious typing errors would result - in run-time errors. +Other changes in Shorewall 4.0.0 RC 2. -3) "shorewall start" and "shorewall restart" with Shorewall-perl no - longer fail on SELinux due to iptables-restore not being allowed to - read from /var. - -4) ipsec zones are now allowed in the GATEWAY ZONE(S) column when - using Shorewall-perl. - -5) A fatal error is now raised if the Shorewall-perl compiler is - unable to secure the output file for execute access. - -6) Shell variables that have a value of zero are now handled - correctly. - -Other changes in Shorewall 4.0.0 RC 1. - -1) The shorewall-perl RPM may no longer be installed under Shorewall - 3.4. It requires shorewall-common. - -2) The Shorewall-perl compiler's CPU utilization has been reduced - further. - -3) ":noah" is now the default for all IPSEC tunnels. Tunnels that use - AH (protocol 51) must specify "ipsec:ah" in the TYPE column. - -4) The 'refresh' command has been restored. It now behaves like - 'restart' except: - - - 'refresh' fails if Shorewall is not started. - - A directory name cannot be passed to 'refresh'. - - 'refresh' only rebuilds the static blacklist whereas 'restore' - rebuilds the entire Netfilter ruleset. +None. Migration Considerations: diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 95a0de07e..6312b7779 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -81,7 +81,8 @@ sub setup_tunnels() { unless ( $gatewayzones eq '-' ) { for my $zone ( split /,/, $gatewayzones ) { fatal_error "Unknown zone ($zone)" unless $zones{$zone}; - fatal_error "Invalid zone ($zone)" if $zones{$zone}{type} eq 'firewall'; + my $type = $zones{$zone}{type}; + fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4'; $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; @@ -227,7 +228,9 @@ sub setup_tunnels() { fatal_error "Unknown zone ($zone)" unless $zones{$zone}; - fatal_error "Invalid zone ($zone)" unless $zones{$zone}{type} eq 'ipv4'; + my $zonetype = $zones{$zone}{type}; + + fatal_error "Invalid zone ($zone) for tunnel ZONE" if $zonetype eq 'firewall' || $zonetype eq 'bport4'; my $inchainref = ensure_filter_chain "${zone}2${firewall_zone}", 1; my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1; diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index c591cc2ef..d1aa29e55 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2007-06-29

+

2007-07-05

Table of Contents

@@ -131,20 +131,20 @@ is 3.2.10
href="http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/">updates. The current Development Release is -4.0.0 Beta 7 +4.0.0 RC1
-Read about the New Development Release +Read about the New Development Release here.