holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

New version

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7858 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-12-07 21:17:14 +00:00
parent 74868063b9
commit 8e9d2067d6
17 changed files with 236 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-common/changelog.txt
View File

@ -1,3 +1,11 @@
Changes in 4.1.3
1) Fix NFLOG/ULOG upcasing problem.
2) Fix STARTUP_LOG without LOG_VERBOSITY.
3) Fix LOG_VERBOSITY without STARTUP_LOG.
Changes in 4.1.2
1) Enhanced Operational Logging

2
Shorewall-common/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

2
Shorewall-common/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

396
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.1 Patch Release 2.
Shorewall 4.1 Patch Release 3.
----------------------------------------------------------------------------
R E L E A S E 4 . 1 H I G H L I G H T S
@ -10,217 +10,21 @@ Shorewall 4.1 Patch Release 2.
3) Enhanced operational logging
Problems corrected in Shorewall 4.1.2.
Problems corrected in Shorewall 4.1.3.
1) If any of the following files was missing, a harmless Perl warning
was issued:
1) If NFLOG or ULOG was specified with parameters, the resulting
iptables-restore input contained elements that were incorrectly
up-cased.
accounting
maclist
masq
nat
netmap
rfc1918
routestopped
tunnels
2) If STARTUP_LOG is specified without LOG_VERBOSITY, /sbin/shorewall
produces an error.
This problem was experienced mostly by Debian users and users of
Debian derivatives such as Ubuntu.
3) If LOG_VERBOSITY is specified without STARTUP_LOG, run-time error
messages are produced.
2) The iptables utility doesn't retry operations that fail due to
resource shortage. Beginning with this release, Shorewall reruns
iptables when such a failure occurs.
Other changes in Shorewall 4.1.3.
3) Previously, Shorewall-perl did not accept log levels in upper case
(e.g., INFO). Log levels are treated in a case-insensitive manner
by Shorewall-perl.
4) The column headers in macro files were not aligned. This has been
corrected, along with some inaccuracies in the macro.template file.
5) The shorewall.conf files in the Samples did not contain some
recently-defined options. They are now up to date.
6) The names of the Jabber macros were shuffled. They are now named
correctly.
Other changes in Shorewall 4.1.2.
1) Shorewall 4.1.2 contains enhanced operational logging capabilities
through a set of related enhancements to Shorewall-common and
Shorewall-perl. The enhancements are not supported by
Shorewall-shell nor are they supported by Shorewall-lite except
when the script is compiled using Shorewall-perl.
a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives
the name of the Shorewall operational log. The log will be
created if it does not exist.
b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives
the verbosity at which logging will occur. It uses the same
value range as VERBOSITY:
-1 Do not log
0 Almost quiet
1 Only major steps
2 Verbose
c) An absolute VERBOSITY may be specified on the command line
using the -v option followed by -1,0,1 or 2.
Example:
shorewall -v2 check
d) The /etc/init.d/shorewall script supplied with the
shorewall.net packages sets '-v0' as the default. This may be
overridden with the OPTIONS setting in /etc/defaults/shorewall or
/etc/sysconfig/shorewall.
Logging occurs on both Shorewall-perl and the generated script when
the following commands are issued:
start
restart
refresh
Messages in the log are always timestamped.
This change implemented two new options to the Shorewall-perl
compiler (/usr/share/shorewall-perl/compiler.pl).
--log=<logfile>
--log_verbosity={-1|0-2}
The --log option is ignored when --log_verbosity is not supplied or
is supplied with value -1.
To avoid a proliferation of parameters to
Shorewall::Compiler::compile(), that function has been changed to
use named parameters. Parameter names are:
object Object file. If omitted or '', the
configuration is syntax checked.
directory Directory. If omitted or '', configuration
files are located using
CONFIG_PATH. Otherwise, the directory named by
this parameter is searched first.
verbosity Verbosity; range -1 to 2
timestamp 0|1 -- timestamp messages.
debug 0|1 -- include stack trace in warning/error
messages.
export 0|1 -- compile for export.
chains List of chains to be reloaded by 'refresh'.
log File to log compiler messages to.
log_verbosity Log Verbosity; range -1 to 2.
Those parameters that are supplied must have defined values.
Defaults are:
object '' ('check' command)
directory ''
verbosity 1
timestamp 0
debug 0
export 0
chains ''
log ''
log_verbosity -1
Example:
use lib '/usr/share/shorewall-perl/';
use Shorewall::Compiler;
compiler( object => '/root/firewall',
log => '/root/compile.log',
log_verbosity => 2 );
2) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
mark values < 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING table.
3) Previously, Shorewall did not range-check the value of the
VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1.2:
a) A VERBOSITY setting outside the range -1 through 2 is rejected.
b) After the -v and -q options are applied, the resulting value is
adjusted to fall within the range -1 through 2.
4) The tcdevices file has been extended to include an OPTIONS
column. Currently only a single option is defined.
classify When specified, you must use explicit CLASSIFY tcrules
to classify traffic by class. Shorewall will not create
any CLASSIFY rules to classify traffic by mark value.
The 'classify' option should be specified when you want to do all
classification using CLASSIFY tcrules. Because CLASSIFY is not a
terminating target, every packet passes through all CLASSIFY
rules. 'classify' can prevent packets from having to pass through
useless additional rules.
Example:
/etc/shorewall/tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
$EXT_IF 1300kbit 384kbit classify
/etc/shorewall/tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 2*full/10 6*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3
/etc/shorewall/tcrules
#MARK SOURCE DEST PROTO PORT(S) SOURCE
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF
1:130 206.124.146.177 $EXT_IF tcp - 873
This example shows my own simple traffic shaping configuration. I
have three classes; one for traffic from our local network, one for
rsync from the master shorewall.net server, and one for all other
DMZ traffic. I use CLASSIFY rules to assign traffic to the first
and third class and let the rest default to the second class.
5) COMMENT lines are now supported in macro bodies by Shorewall-perl
and are ignored by the Shorewall-shell compiler. The standard
macros (with the exception of macro.Drop and macro.Reject) have
been modified to include a COMMENT line describing the macro.
COMMENT lines in macros work slightly differently from COMMENT
lines in other files. COMMENT lines in macros are ignored if
COMMENT support is not available or if there was a COMMENT in use
when the top-level macro was invoked. This allows the
following:
/usr/share/shorewall/macro.SSH:
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
COMMENT SSH
PARAM - - tcp 22
/etc/shorewall/rules:
COMMENT Allow SSH from home
SSH/ALLOW net:$MYIP $FW
COMMENT
The comment line in macro.SSH will not override the
COMMENT line in the rules file and the generated rule will show
/* Allow SSH from home */
when displayed through the Shorewall show and dump commands.
None.
Migration Issues.
@ -334,7 +138,7 @@ New Features in Shorewall 4.1.
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080
5) Shorewall-perl 4.1.0 implements an alternative syntax for macro
5) Shorewall-perl 4.1 implements an alternative syntax for macro
parameters and for the NFQUEUE queue number. Rather than following
the macro name (or NFQUEUE) with a slash ("/") and the parameter,
the parameter may be enclosed in parentheses.
@ -346,3 +150,179 @@ New Features in Shorewall 4.1.
The old syntax will still be accepted but will cease to be documented
in some future Shorewall release.
6) Shorewall 4.1 contains enhanced operational logging capabilities
through a set of related enhancements to Shorewall-common and
Shorewall-perl. The enhancements are not supported by
Shorewall-shell nor are they supported by Shorewall-lite except
when the script is compiled using Shorewall-perl.
a) The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives
the name of the Shorewall operational log. The log will be
created if it does not exist.
b) The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives
the verbosity at which logging will occur. It uses the same
value range as VERBOSITY:
-1 Do not log
0 Almost quiet
1 Only major steps
2 Verbose
c) An absolute VERBOSITY may be specified on the command line
using the -v option followed by -1,0,1 or 2.
Example:
shorewall -v2 check
d) The /etc/init.d/shorewall script supplied with the
shorewall.net packages sets '-v0' as the default. This may be
overridden with the OPTIONS setting in /etc/defaults/shorewall or
/etc/sysconfig/shorewall.
Logging occurs on both Shorewall-perl and the generated script when
the following commands are issued:
start
restart
refresh
Messages in the log are always timestamped.
This change implemented two new options to the Shorewall-perl
compiler (/usr/share/shorewall-perl/compiler.pl).
--log=<logfile>
--log_verbosity={-1|0-2}
The --log option is ignored when --log_verbosity is not supplied or
is supplied with value -1.
To avoid a proliferation of parameters to
Shorewall::Compiler::compile(), that function has been changed to
use named parameters. Parameter names are:
object Object file. If omitted or '', the
configuration is syntax checked.
directory Directory. If omitted or '', configuration
files are located using
CONFIG_PATH. Otherwise, the directory named by
this parameter is searched first.
verbosity Verbosity; range -1 to 2
timestamp 0|1 -- timestamp messages.
debug 0|1 -- include stack trace in warning/error
messages.
export 0|1 -- compile for export.
chains List of chains to be reloaded by 'refresh'.
log File to log compiler messages to.
log_verbosity Log Verbosity; range -1 to 2.
Those parameters that are supplied must have defined values.
Defaults are:
object '' ('check' command)
directory ''
verbosity 1
timestamp 0
debug 0
export 0
chains ''
log ''
log_verbosity -1
Example:
use lib '/usr/share/shorewall-perl/';
use Shorewall::Compiler;
compiler( object => '/root/firewall',
log => '/root/compile.log',
log_verbosity => 2 );
7) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
mark values < 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING table.
8) Previously, Shorewall did not range-check the value of the
VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.1:
a) A VERBOSITY setting outside the range -1 through 2 is rejected.
b) After the -v and -q options are applied, the resulting value is
adjusted to fall within the range -1 through 2.
9) The tcdevices file has been extended to include an OPTIONS
column. Currently only a single option is defined.
classify When specified, you must use explicit CLASSIFY tcrules
to classify traffic by class. Shorewall will not create
any CLASSIFY rules to classify traffic by mark value.
The 'classify' option should be specified when you want to do all
classification using CLASSIFY tcrules. Because CLASSIFY is not a
terminating target, every packet passes through all CLASSIFY
rules. 'classify' can prevent packets from having to pass through
useless additional rules.
Example:
/etc/shorewall/tcdevices
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
$EXT_IF 1300kbit 384kbit classify
/etc/shorewall/tcclasses
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 2*full/10 6*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3
/etc/shorewall/tcrules
#MARK SOURCE DEST PROTO PORT(S) SOURCE
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF
1:130 206.124.146.177 $EXT_IF tcp - 873
This example shows my own simple traffic shaping configuration. I
have three classes; one for traffic from our local network, one for
rsync from the master shorewall.net server, and one for all other
DMZ traffic. I use CLASSIFY rules to assign traffic to the first
and third class and let the rest default to the second class.
10) COMMENT lines are now supported in macro bodies by Shorewall-perl
and are ignored by the Shorewall-shell compiler. The standard
macros (with the exception of macro.Drop and macro.Reject) have
been modified to include a COMMENT line describing the macro.
COMMENT lines in macros work slightly differently from COMMENT
lines in other files. COMMENT lines in macros are ignored if
COMMENT support is not available or if there was a COMMENT in use
when the top-level macro was invoked. This allows the
following:
/usr/share/shorewall/macro.SSH:
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
COMMENT SSH
PARAM - - tcp 22
/etc/shorewall/rules:
COMMENT Allow SSH from home
SSH/ALLOW net:$MYIP $FW
COMMENT
The comment line in macro.SSH will not override the
COMMENT line in the rules file and the generated rule will show
/* Allow SSH from home */
when displayed through the Shorewall show and dump commands.

4
Shorewall-common/shorewall-common.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-common
%define version 4.1.2
%define version 4.1.3
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -243,6 +243,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
* Wed Nov 21 2007 Tom Eastep tom@shorewall.net

2
Shorewall-common/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

2
Shorewall-lite/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

4
Shorewall-lite/shorewall-lite.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-lite
%define version 4.1.2
%define version 4.1.3
%define release 1
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
* Wed Nov 21 2007 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

12
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -82,7 +82,11 @@ sub generate_script_1() {
my $date = localtime;
if ( $config{COMPILER_TEST} ) {
emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
} else {
emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl $globals{VERSION} - $date\n#";
}
copy $globals{SHAREDIRPL} . 'prog.header';
@ -138,9 +142,11 @@ sub generate_script_1() {
emit ( '[ -n "${COMMAND:=restart}" ]',
'[ -n "${VERBOSE:=0}" ]',
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
'[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"',
qq(VERSION="$globals{VERSION}") ,
qq(PATH="$config{PATH}") ,
'[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
emit ( qq(VERSION="$globals{VERSION}") ) unless $config{COMPILER_TEST};
emit ( qq(PATH="$config{PATH}") ,
'TERMINATOR=fatal_error' ,
qq(DONT_LOAD="@dont_load") ,
qq(STARTUP_LOG="$config{STARTUP_LOG}") ,

8
Shorewall-perl/Shorewall/Config.pm
View File

@ -105,7 +105,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
Exporter::export_ok_tags('internal');
our $VERSION = 4.1.2;
our $VERSION = 4.1.3;
#
# describe the current command, it's present progressive, and it's completion.
@ -253,14 +253,15 @@ sub initialize() {
ORIGINAL_POLICY_MATCH => '',
LOGPARMS => '',
TC_SCRIPT => '',
VERSION => '4.1.2',
VERSION => '4.1.3',
CAPVERSION => 40100 ,
);
#
# From shorewall.conf file
#
%config =
( STARTUP_ENABLED => undef,
( COMPILER_TEST => undef,
STARTUP_ENABLED => undef,
VERBOSITY => undef,
#
# Logging
@ -1799,6 +1800,7 @@ sub get_configuration( $ ) {
$config{LOG_VERBOSITY} = -1;
}
default_yes_no 'COMPILER_TEST' , '';
default_yes_no 'ADD_IP_ALIASES' , 'Yes';
default_yes_no 'ADD_SNAT_ALIASES' , '';
default_yes_no 'DETECT_DNAT_IPADDRS' , '';

2
Shorewall-perl/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

4
Shorewall-perl/shorewall-perl.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-perl
%define version 4.1.2
%define version 4.1.3
%define release 1
Summary: Shoreline Firewall Perl-based compiler.
@ -64,6 +64,8 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING releasenotes.txt
%changelog
* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
* Wed Nov 21 2007 Tom Eastep tom@shorewall.net

2
Shorewall-shell/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.1.2
VERSION=4.1.3
usage() # $1 = exit status
{

4
Shorewall-shell/shorewall-shell.spec
View File

@ -1,5 +1,5 @@
%define name shorewall-shell
%define version 4.1.2
%define version 4.1.3
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -81,6 +81,8 @@ fi
%doc COPYING INSTALL
%changelog
* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
* Wed Nov 21 2007 Tom Eastep tom@shorewall.net

10
web/shorewall_index.htm
View File

@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
license is included in the section entitled “<a href="GnuCopyright.htm"
target="_self">GNU Free Documentation License</a>”.</p>
<p>2007-12-05</p>
<p>2007-12-06</p>
<hr style="width: 100%; height: 2px;">
<h2>Table of Contents</h2>
@ -141,15 +141,15 @@ is 3.4.7<br>
href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/">updates</a>.</li>
</ul>
The <span style="font-weight: bold;">current Development Release</span> is
4.1.1.
4.1.2.
<ul>
<li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.1/releasenotes.txt">release
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.2/releasenotes.txt">release
notes</a></li>
<li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.1/known_problems.txt">known
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.2/known_problems.txt">known
problems</a> and <a
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.0/errata/">updates</a>.</li>
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.2/errata/">updates</a>.</li>
</ul>
</div>