forked from extern/shorewall_code
Fix a couple of bugs
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7701 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1f48b9d616
commit
a7f089a939
@ -1,3 +1,9 @@
|
|||||||
|
Changes in 4.1.1
|
||||||
|
|
||||||
|
1) Fix ULOG/NFLOG output.
|
||||||
|
|
||||||
|
2) Fix NFQUEUE(<queue-num>) in Policy file.
|
||||||
|
|
||||||
Changes in 4.1.0.
|
Changes in 4.1.0.
|
||||||
|
|
||||||
1) Add 'shared' provider option.
|
1) Add 'shared' provider option.
|
||||||
@ -23,434 +29,3 @@ Changes in 4.1.0.
|
|||||||
11) Add DONT_LOAD option
|
11) Add DONT_LOAD option
|
||||||
|
|
||||||
12) Add support for --random.
|
12) Add support for --random.
|
||||||
|
|
||||||
Changes in 4.0.5
|
|
||||||
|
|
||||||
1) Delete 'detectnets' from Shorewall-perl
|
|
||||||
|
|
||||||
2) Use get_config() for processing secondary shorewall.conf
|
|
||||||
|
|
||||||
3) Add 'broadcast' and 'destonly' options to hosts file.
|
|
||||||
|
|
||||||
4) Allow "$FW::<port>" in the DEST column of a redirect rule"
|
|
||||||
|
|
||||||
5) Add MULTICAST option in shorewall.conf.
|
|
||||||
|
|
||||||
6) Allow port range for server port in NAT rules.
|
|
||||||
|
|
||||||
7) Validate server IP address and port(-range) in NAT rules.
|
|
||||||
|
|
||||||
8) Allow server port(s) to be specified as service names.
|
|
||||||
|
|
||||||
9) Split large DEST PORT(S) lists.
|
|
||||||
|
|
||||||
10) Fix TCP/UDP in rules file.
|
|
||||||
|
|
||||||
10) Add new semantics to 'debug' with Shorewall-perl
|
|
||||||
|
|
||||||
11) Satisfy the distros.
|
|
||||||
|
|
||||||
12) Change module versions to V-strings.
|
|
||||||
|
|
||||||
13) Fix ipsets.
|
|
||||||
|
|
||||||
Changes in 4.0.4
|
|
||||||
|
|
||||||
1) Fix 'refresh' with light-weight shells.
|
|
||||||
|
|
||||||
2) Various fixes for proxyarp.
|
|
||||||
|
|
||||||
3) Fix 'refresh' run-time error.
|
|
||||||
|
|
||||||
4) Cleaner behavior if module-init-tools not installed.
|
|
||||||
|
|
||||||
5) Fix [re-]initialization problems in Shorewall::Tc.
|
|
||||||
|
|
||||||
6) Make compile-time check for iptables-restore.
|
|
||||||
|
|
||||||
7) Fix dup chain name test for actions.
|
|
||||||
|
|
||||||
8) Improve KLUDGEFREE detection.
|
|
||||||
|
|
||||||
9) Remove unused functions from Chains module.
|
|
||||||
|
|
||||||
10) Allow 'TC_ENABLED=internal' as specified (Only 'Internal' is
|
|
||||||
currently allowed).
|
|
||||||
|
|
||||||
11) Correct 'loose' handling.
|
|
||||||
|
|
||||||
12) Correct handling of 'bridge' and accounting.
|
|
||||||
|
|
||||||
13) Fix SHOREWALL_DIR fiasco.
|
|
||||||
|
|
||||||
14) Avoid deleting wrong routing rule.
|
|
||||||
|
|
||||||
15) Allow provider number in route_rules with Shorewall-shell.
|
|
||||||
|
|
||||||
16) Add DELETE_THEN_ADD option.
|
|
||||||
|
|
||||||
17) Add warning about 'detectnets' going away.
|
|
||||||
|
|
||||||
18) Fix off-by-one bug in Tc.pm
|
|
||||||
|
|
||||||
19) Correct problems found in pre-testing.
|
|
||||||
|
|
||||||
20) Fix REDIRECT with Macros.
|
|
||||||
|
|
||||||
Changes in 4.0.3
|
|
||||||
|
|
||||||
1) Streamline the checking for builtin chains in the accounting file.
|
|
||||||
|
|
||||||
2) Don't try to write/restore /etc/iproute2/rt_tables if it isn't
|
|
||||||
writable.
|
|
||||||
|
|
||||||
3) Allow Shorewall-perl compiler and libraries to be installed
|
|
||||||
anywhere.
|
|
||||||
|
|
||||||
4) Add KEEP_RT_TABLES option.
|
|
||||||
|
|
||||||
5) Other provider changes.
|
|
||||||
|
|
||||||
6) Fix LOG target in Shorewall-shell.
|
|
||||||
|
|
||||||
7) Faster log processing.
|
|
||||||
|
|
||||||
8) Tweak handling of CLASSID in process_tc_rule().
|
|
||||||
|
|
||||||
9) Restore 3.4 'stop/clear/reset' behavior and make new behavior
|
|
||||||
optional.
|
|
||||||
|
|
||||||
10) Add act_police to modules file.
|
|
||||||
|
|
||||||
11) Add 'mss' interface option.
|
|
||||||
|
|
||||||
12) Add TCPMSS_MATCH to show capabilities -f.
|
|
||||||
|
|
||||||
13) Insure a space between log prefix and IN=.
|
|
||||||
|
|
||||||
14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy
|
|
||||||
|
|
||||||
15) Add hashlimit match detection.
|
|
||||||
|
|
||||||
16) Fix 'add' and 'delete' when interface name contains special char.
|
|
||||||
|
|
||||||
17) Fix PREROUTING track fiasco.
|
|
||||||
|
|
||||||
18) Add NFQUEUE support.
|
|
||||||
|
|
||||||
19) Allow refresh of chains other than 'blacklst'.
|
|
||||||
|
|
||||||
20) Allow INCLUDE in run-time extension scripts.
|
|
||||||
|
|
||||||
21) Fix zone sort.
|
|
||||||
|
|
||||||
Changes in 4.0.2
|
|
||||||
|
|
||||||
1) Another ECN fix in Shorewall-perl.
|
|
||||||
|
|
||||||
2) Make 'state match' detection in Shorewall-perl quiet.
|
|
||||||
|
|
||||||
3) Detect port range in list without XMULTIPORT.
|
|
||||||
|
|
||||||
4) Move lockfile handling from 'firewall' to 'shorewall' and lib.cli.
|
|
||||||
|
|
||||||
5) Don't detect routed networks and interfaces addresses during
|
|
||||||
'restore'.
|
|
||||||
|
|
||||||
6) Upcase some global variables in the generated script.
|
|
||||||
|
|
||||||
7) Remove some 'chain_base' mapping.
|
|
||||||
|
|
||||||
8) Eliminate a couple of global variables in the Chains module.
|
|
||||||
|
|
||||||
9) Cosmetic change to generated script.
|
|
||||||
|
|
||||||
10) Allow tc configuration on bridge ports.
|
|
||||||
|
|
||||||
11) Fix add/delete problem when Shorewall-shell is not installed.
|
|
||||||
|
|
||||||
12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during
|
|
||||||
'refresh'.
|
|
||||||
|
|
||||||
13) Correct some error messages.
|
|
||||||
|
|
||||||
14) Correct calculations involving number of keys in a hash.
|
|
||||||
|
|
||||||
15) Load xt_multiport.
|
|
||||||
|
|
||||||
16) Apply Günter Niedermeier's patch for multiport.
|
|
||||||
|
|
||||||
17) Honor the BROADCAST column when address type match is not
|
|
||||||
available.
|
|
||||||
|
|
||||||
18) Fix accounting.
|
|
||||||
|
|
||||||
Changes in 4.0.1
|
|
||||||
|
|
||||||
1) Add EXPAND_POLICIES.
|
|
||||||
|
|
||||||
2) Fix uninstallers.
|
|
||||||
|
|
||||||
3) Correct handling of 'ipsec' option in the hosts file.
|
|
||||||
|
|
||||||
4) Corrent handling of 'PATH' in Shorewall-perl.
|
|
||||||
|
|
||||||
5) Correct handling of ECN with MANGLE_FORWARD.
|
|
||||||
|
|
||||||
6) Relax ADDRTYPE restriction.
|
|
||||||
|
|
||||||
7) Be sure that chkconfig runs after upgrade from < 4.0.0
|
|
||||||
|
|
||||||
8) Better out-of-order policy detection.
|
|
||||||
|
|
||||||
9) Fix dropBcast/allowBcast logging and other logging
|
|
||||||
fixes/improvements.
|
|
||||||
|
|
||||||
10) Cleaner way to handle quotes in rules.
|
|
||||||
|
|
||||||
11) Allow '/min' in RATE/BURST column.
|
|
||||||
|
|
||||||
12) Check for state match
|
|
||||||
|
|
||||||
13) Fix stale lock problems.
|
|
||||||
|
|
||||||
Changes in 4.0.0 Final
|
|
||||||
|
|
||||||
1) Fix lite install.sh manpage problem.
|
|
||||||
|
|
||||||
2) Fix shorewall-shell .spec to modify SHOREWALL_COMPILER.
|
|
||||||
|
|
||||||
3) Shuffle code in Providers.pm.
|
|
||||||
|
|
||||||
4) Consolicate Common.pm + Config.pm and Interfaces.pm + Hosts.pm +
|
|
||||||
Zones.pm.
|
|
||||||
|
|
||||||
5) Validate log level in policy file.
|
|
||||||
|
|
||||||
Changes in 4.0.0 RC 2
|
|
||||||
|
|
||||||
1) Fix zone type check in Tunnels File.
|
|
||||||
|
|
||||||
2) Remove -f as default start OPTIONS.
|
|
||||||
|
|
||||||
3) Remove 3.4 compatibility hacks.
|
|
||||||
|
|
||||||
4) Fix install.sh manpage problem.
|
|
||||||
|
|
||||||
5) Fix LITEDIR mess.
|
|
||||||
|
|
||||||
6) Fix IPSEC.
|
|
||||||
|
|
||||||
7) Add Tunneling Macros from Tuomo Soini.
|
|
||||||
|
|
||||||
Changes in 4.0.0 RC 1
|
|
||||||
|
|
||||||
1) shorewall-perl RPM no longer installable under shorewall 3.4.
|
|
||||||
|
|
||||||
2) Fix limited broadcast and detectnets/routeback interfaces.
|
|
||||||
|
|
||||||
3) Use optimized 'split' for faster compilation.
|
|
||||||
|
|
||||||
4) Validate host part in hosts file entry.
|
|
||||||
|
|
||||||
5) Fix IPSECFILE=ipsec.
|
|
||||||
|
|
||||||
6) Make ':noah' the default.
|
|
||||||
|
|
||||||
7) Work around SELinux nonsense.
|
|
||||||
|
|
||||||
8) Restore the 'refresh' command.
|
|
||||||
|
|
||||||
9) Allow ipsec zone in GATEWAY ZONE column of the tunnels file.
|
|
||||||
|
|
||||||
10) Raise error on chmod failure.
|
|
||||||
|
|
||||||
11) Handle shell variables with zero value correctly.
|
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 6
|
|
||||||
|
|
||||||
1) First step to adding compiler debugging facility.
|
|
||||||
|
|
||||||
2) Assume that iptables-restore is in the same directory as $IPTABLES
|
|
||||||
|
|
||||||
3) Fix buildports.pm to handle bogus entries in /etc/protocols and
|
|
||||||
/etc/services.
|
|
||||||
|
|
||||||
4) Allow COMMENT in the accounting file.
|
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 6
|
|
||||||
|
|
||||||
1) Validate the DISPOSITION in /etc/shorewall/maclist entries.
|
|
||||||
|
|
||||||
2) Add versioning to capabilities files.
|
|
||||||
|
|
||||||
3) Improve compiler selection.
|
|
||||||
|
|
||||||
4) DYNAMIC_ZONES=Yes and bridges.
|
|
||||||
|
|
||||||
5) Implement port validation.
|
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 5
|
|
||||||
|
|
||||||
1) Fix undefined function call when both an input interface and an
|
|
||||||
output interface are present.
|
|
||||||
|
|
||||||
2) Externalize compiler and Compile.pm.
|
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 4
|
|
||||||
|
|
||||||
1) Fix the 'Modules' output of 'dump'
|
|
||||||
|
|
||||||
2) Fix FW=xxx with IPSECFILE=ipsec.
|
|
||||||
|
|
||||||
3) Fix wildcard-rule/NONE-policy interaction.
|
|
||||||
|
|
||||||
4) Clean up generation of user-exit jacket functions.
|
|
||||||
|
|
||||||
5) Add new bridge code.
|
|
||||||
|
|
||||||
6) Fix bad bug in exclusion.
|
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 2
|
|
||||||
|
|
||||||
1) Fix screwup in get_routed_networks().
|
|
||||||
|
|
||||||
2) Some minor tweaks.
|
|
||||||
|
|
||||||
3) Fix synflood chain jumps.
|
|
||||||
|
|
||||||
4) Simplify synflood handling and improve error diagnostics.
|
|
||||||
|
|
||||||
Changes in 4.0.0 Beta 1
|
|
||||||
|
|
||||||
1) Fix add/delete <interface>.
|
|
||||||
|
|
||||||
2) Fix do_proto() and 'use IPConfig' in Providers.pm.
|
|
||||||
|
|
||||||
3) Implement dynamic host group detection.
|
|
||||||
|
|
||||||
Changes in 3.9.7
|
|
||||||
|
|
||||||
1) Clean up release notes.
|
|
||||||
|
|
||||||
2) Fix several bugs having to do with exclusion in the hosts file.
|
|
||||||
|
|
||||||
3) Use '-m addrtype' in detectnet interface output rules.
|
|
||||||
|
|
||||||
4) Fix find_hosts_by_option().
|
|
||||||
|
|
||||||
5) Fix more hosts file bugs.
|
|
||||||
|
|
||||||
6) Fix 'detect' in GATEWAY column of providers file.
|
|
||||||
|
|
||||||
8) Other bug fixes (see release notes).
|
|
||||||
|
|
||||||
7) Fix action in 'logreject'.
|
|
||||||
|
|
||||||
8) Allow macros to invoke macros outside of action bodies.
|
|
||||||
|
|
||||||
|
|
||||||
Changes in 3.9.6
|
|
||||||
|
|
||||||
1) Fix parsing problems in protocol handling.
|
|
||||||
|
|
||||||
2) Fix bugs in handling of the MARK column.
|
|
||||||
|
|
||||||
3) Fix bug in routing table copying
|
|
||||||
|
|
||||||
4) Fix bug in ipset handling.
|
|
||||||
|
|
||||||
5) Fix bug in handling of CONTINUE in the tcrules file.
|
|
||||||
|
|
||||||
6) Add RCP_COMMAND and RSH_COMMAND options in shorewall.conf
|
|
||||||
|
|
||||||
7) Apply Luigi's MARK patch.
|
|
||||||
|
|
||||||
Changes in 3.9.5
|
|
||||||
|
|
||||||
1) Fix dynamic zone problem.
|
|
||||||
|
|
||||||
2) Fix LOGALLNEW.
|
|
||||||
|
|
||||||
3) Implement log level, protocol and port validation.
|
|
||||||
|
|
||||||
4) Fix MACLIST log rule generation problem.
|
|
||||||
|
|
||||||
Changes in 3.9.4
|
|
||||||
|
|
||||||
1) Fix port 0 problem (again!).
|
|
||||||
|
|
||||||
2) Fix log_martians.
|
|
||||||
|
|
||||||
3) Make LOG_MARTIANS and ROUTE_FILTER tri-valued.
|
|
||||||
|
|
||||||
4) Fix arp_ignore.
|
|
||||||
|
|
||||||
5) Re-work ROUTE_FILTER and LOG_MARTIANS.
|
|
||||||
|
|
||||||
6) Fix handling of interface options.
|
|
||||||
|
|
||||||
7) Fix handling of zone ipsec options.
|
|
||||||
|
|
||||||
8) Fix 'routeback' on multi-zone interface.
|
|
||||||
|
|
||||||
9) Fix 'check -d'.
|
|
||||||
|
|
||||||
10) Fix intra-zone policies.
|
|
||||||
|
|
||||||
11) Fix typo in maclist validation.
|
|
||||||
|
|
||||||
12) Allow 'optional' to work with 'maclist'.
|
|
||||||
|
|
||||||
Changes in 3.9.3
|
|
||||||
|
|
||||||
1) Apply Steven Springl's patch for port checking.
|
|
||||||
|
|
||||||
2) Implement 'optional' interface option.
|
|
||||||
|
|
||||||
3) Fix a couple of bugs in 'owner' handling.
|
|
||||||
|
|
||||||
4) Fix several bugs in address/network detection.
|
|
||||||
|
|
||||||
5) Make a number of interface options binary.
|
|
||||||
|
|
||||||
6) Add wildcard edits in interface processing.
|
|
||||||
|
|
||||||
7) Fix dropInvalid.
|
|
||||||
|
|
||||||
8) Fix 'none'.
|
|
||||||
|
|
||||||
9) Fix SAME with SOURCE $FW
|
|
||||||
|
|
||||||
10) Fix tcp:syn.
|
|
||||||
|
|
||||||
11) Fix all->z rules with 'NONE' policy.
|
|
||||||
|
|
||||||
12) Check for reserved zone names.
|
|
||||||
|
|
||||||
13) Add check for firewall zone existance.
|
|
||||||
|
|
||||||
14) Add checks for zone existance in 'all' processing.
|
|
||||||
|
|
||||||
Changes in 3.9.2
|
|
||||||
|
|
||||||
1) Implement '-C {shell|perl}'.
|
|
||||||
|
|
||||||
2) Implement LOCKFILE
|
|
||||||
|
|
||||||
3) Fix typo in prog.footer.
|
|
||||||
|
|
||||||
4) Fix Shorewall-perl hosts and tcclasses errors.
|
|
||||||
|
|
||||||
5) Add IPPserver macro.
|
|
||||||
|
|
||||||
6) Fix problem with 'stop' and 'clear' when shorewall-shell not
|
|
||||||
installed.
|
|
||||||
|
|
||||||
7) Moved lib.dynamiczones to Shorewall.
|
|
||||||
|
|
||||||
8) Fix silly bug in lib.base.
|
|
||||||
|
|
||||||
9) Apply Steven Springl's patch for ICMP.
|
|
||||||
|
|
||||||
>>>>>>> .r7695
|
|
||||||
|
@ -8,11 +8,20 @@ Shorewall 4.1 Patch Release 0.
|
|||||||
|
|
||||||
2) Support for NFLOG has been added.
|
2) Support for NFLOG has been added.
|
||||||
|
|
||||||
Problems corrected in Shorewall 4.1.0.
|
Problems corrected in Shorewall 4.1.1.
|
||||||
|
|
||||||
|
1) Previously, incorrect output was generated by parameter lists to
|
||||||
|
ULOG or NFLOG.
|
||||||
|
|
||||||
|
2) Specifying NFQUEUE(<queue-number>) in the LEVEL column of the
|
||||||
|
policy file resulted in an error.
|
||||||
|
|
||||||
|
|
||||||
|
Other changes in Shorewall 4.1.1.
|
||||||
|
|
||||||
None.
|
None.
|
||||||
|
|
||||||
Other changes in Shorewall 4.1.0.
|
New Features in Shorewall 4.1.
|
||||||
|
|
||||||
1) Shorewall 4.1.0 contains experimental support for multiple Internet
|
1) Shorewall 4.1.0 contains experimental support for multiple Internet
|
||||||
providers through a single ethernet interface. Configuring two
|
providers through a single ethernet interface. Configuring two
|
||||||
|
@ -1162,7 +1162,7 @@ my %validlevels = ( debug => 7,
|
|||||||
ULOG => 'ULOG',
|
ULOG => 'ULOG',
|
||||||
NFLOG => 'NFLOG');
|
NFLOG => 'NFLOG');
|
||||||
|
|
||||||
my @suffixes = qw(group range threshhold);
|
my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
|
||||||
|
|
||||||
#
|
#
|
||||||
# Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
|
# Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
|
||||||
@ -1184,7 +1184,7 @@ sub validate_level( $ ) {
|
|||||||
my $olevel = $1;
|
my $olevel = $1;
|
||||||
my @options = split /,/, $2;
|
my @options = split /,/, $2;
|
||||||
my $prefix = lc $olevel;
|
my $prefix = lc $olevel;
|
||||||
my $index = 0;
|
my $index = $prefix eq 'ulog' ? 3 : 0;
|
||||||
|
|
||||||
level_error( $level ) if @options > 3;
|
level_error( $level ) if @options > 3;
|
||||||
|
|
||||||
|
@ -228,7 +228,7 @@ sub validate_policy()
|
|||||||
|
|
||||||
fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
|
fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
|
||||||
|
|
||||||
( $policy , my $queue ) = split( '/' , $policy );
|
( $policy , my $queue ) = get_target_param $policy;
|
||||||
|
|
||||||
if ( $default ) {
|
if ( $default ) {
|
||||||
if ( "\L$default" eq 'none' ) {
|
if ( "\L$default" eq 'none' ) {
|
||||||
|
Loading…
Reference in New Issue
Block a user