diff --git a/Shorewall/Makefile b/Shorewall/Makefile index fdf505dea..a96388e9b 100644 --- a/Shorewall/Makefile +++ b/Shorewall/Makefile @@ -1,7 +1,7 @@ # Shorewall Makefile to restart if config-files are newer than last restart VARDIR=/var/lib/shorewall CONFDIR=/etc/shorewall -all: $(VARDIR)/restarted +all: $(VARDIR)/restore-base $(VARDIR)/restore-base: $(CONFDIR)/* @/sbin/shorewall -q save >/dev/null; \ diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0aff8ebc0..7d71cd371 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,11 @@ Changes in 3.0.1 1) Set policies for chains in nat, mangle and raw tables. +2) Applied Tuomo's patch for Makefile. + +3) Add Farkas ordering to generated SOURCE and DEST column when expanding + macros. + Changes in 3.0.0 Final None. diff --git a/Shorewall/firewall b/Shorewall/firewall index 39ddedc60..981aeca4f 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -4876,6 +4876,27 @@ map_old_action() # $1 = Potential Old Action echo $1 } +# +# Combine a source/dest from the macro body with one from the macro invocation +# +merge_macro_source_dest() # $1 = source/dest from macro body, $2 = source/dest from invocation +{ + case $2 in + -) + echo ${1} + ;; + *.*.*|+*|~*) + # + # Value in the invocation is an address -- put it behind the value from the macro + # + echo ${1}:${2} + ;; + *) + echo ${2}:${1} + ;; + esac +} + # # The next three functions implement the three phases of action processing. # @@ -5235,6 +5256,7 @@ process_actions3() { ;; esac + echo ${2%:*}:${1} expandv xclients xservers xprotocol xports xcports xratelimit xuserspec if [ -n "$is_macro" ]; then @@ -5252,7 +5274,7 @@ process_actions3() { while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do expandv mtarget mclients mservers mprotocol mports mcports mratelimit muserspec - mtarget=$(merge_levels $xaction2 $mtarget) + mtarget=$(merge_levels $xaction $mtarget) case $mtarget in PARAM|PARAM:*) @@ -5266,7 +5288,7 @@ process_actions3() { mclients=${xclients} ;; *) - mclients=${mclients}:${xclients} + mclients=$(merge_macro_source_dest $mclients $xclients) ;; esac else @@ -5279,7 +5301,7 @@ process_actions3() { mservers=${xservers} ;; *) - mservers=${mservers}:${xservers} + mservers=$(merge_macro_source_dest $mservers $xservers) ;; esac else @@ -6309,7 +6331,7 @@ process_macro() # $1 = target mclients=${iclients} ;; *) - mclients=${mclients}:${iclients} + mclients=$(merge_macro_source_dest $mclients $iclients) ;; esac else @@ -6322,7 +6344,7 @@ process_macro() # $1 = target mservers=${iservers} ;; *) - mservers=${mservers}:${iservers} + mservers=$(merge_macro_source_dest $mservers $iservers) ;; esac else diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2b07d1b5d..187263418 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -7,6 +7,49 @@ Problems Corrected in 3.0.1 the policy to ACCEPT. This could result in a ruleset that rejected or dropped all traffic. +2) The Makefile was broken such that 'make' didn't always work correctly. + +3) If the SOURCE or DEST column in a macro body was non-empty and a dash + ("-") appeared in the corresponding column of an invocation of that + macro, then an invalid rule was generated. + +New Features in 3.0.1 + +1) To make the macro facility more flexible, Shorewall now examines the + contents of the SOURCE and DEST columns in both the macro body and in + the invocation and tries to create the intended rule. If the value in + the invocation appears to be an address (IP or MAC) or the name of an + ipset, then it is placed after the value in the macro body. Otherwise, + it is placed before the value in the macro body. + + Example 1: + + /etc/shorewall/macro.foo: + + PARAM - 192.168.1.5 tcp http + + /etc/shorewallrules: + + foo/ACCEPT net loc + + Effective rule: + + ACCEPT net loc:192.168.1.5 tcp http + + Example 2: + + /etc/shorewall/macro.bar: + + PARAM net loc tcp http + + /etc/shorewall/rules: + + bar/ACCEPT - 192.168.1.5 + + Effective rule: + + ACCEPT net loc:192.168.1.5 tcp http + Migration Considerations: 1) The "monitor" command has been eliminated.