Update for Shorewall 2.0.12

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1792 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp2/etc/shorewall/shorewall.conf

@@ -470,7 +470,7 @@ MUTEX_TIMEOUT=60
 # A packet is said to be NEW if it is not part of or related to an already
 # established connection.
 #
-# The NETNOTSYN option determines the handling of non-SYN packets (those with
+# The NEWNOTSYN option determines the handling of non-SYN packets (those with
 # SYN off or with ACK or RST on) that are not associated with an already
 # established connection.
 # 

Lrp2/sbin/shorewall

@@ -1070,6 +1070,8 @@ case "$1" in
 				cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
 				if iptables-save >> /var/lib/shorewall/restore-$$ ; then
 				    echo __EOF__ >> /var/lib/shorewall/restore-$$
+				    [ -f /var/lib/shorewall/restore-tail ] && \
+					cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
 				    mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH 
 				    chmod +x $RESTOREPATH
 				    echo "   Currently-running Configuration Saved to $RESTOREPATH"

Lrp2/usr/share/shorewall/firewall

@@ -178,6 +178,16 @@ run_iptables2() {
     run_iptables $(fix_bang $@)
 }
 
+#
+# Quietly run iptables
+#
+qt_iptables() {
+
+    [ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+
+    qt iptables $@
+}
+
 #
 # Run ip and if an error occurs, stop the firewall and quit
 #
@@ -5218,7 +5228,7 @@ add_common_rules() {
 
 	    run_iptables -A $(input_chain $interface)   -j $chain
 	    run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
-	    run_iptables -A OUTPUT                      -j $(dynamic_out $interface)
+	    run_iptables -A OUTPUT -o $interface        -j $(dynamic_out $interface)
 	done
     fi
 
@@ -5594,6 +5604,25 @@ define_firewall() # $1 = Command (Start or Restart)
     [ -n "$aliases_to_add" ] && \
 	echo "Adding IP Addresses..." &&       add_ip_aliases
 
+    for file in chains nat proxyarp zones; do
+	append_file $file
+    done
+    
+    save_progress_message "Restoring Netfilter Configuration..."
+    
+    save_command 'iptables-restore << __EOF__'
+ 
+    # 'shorewall save' appends the iptables-save output and '__EOF__'
+ 
+    mv -f $RESTOREBASE /var/lib/shorewall/restore-base-$$
+ 
+    > $RESTOREBASE
+ 
+    save_command "#"
+    save_command "# Restore tail file generated by Shorewall $version - $(date)"
+    save_command "#"
+    save_command "date > $STATEDIR/restarted"
+ 
     run_user_exit start
 
     createchain shorewall no
@@ -5604,19 +5633,8 @@ define_firewall() # $1 = Command (Start or Restart)
 
     rm -rf $TMP_DIR
 
-    for file in chains nat proxyarp zones; do
+    mv -f /var/lib/shorewall/restore-base-$$ /var/lib/shorewall/restore-base
-	append_file $file
+    mv -f $RESTOREBASE /var/lib/shorewall/restore-tail    
-    done
-    
-    save_command "date > $STATEDIR/restarted"
-
-    save_progress_message "Restoring Netfilter Configuration..."
-
-    save_command 'iptables-restore << __EOF__'
-
-    # 'shorewall save' appends the iptables-save output and '__EOF__'
-
-    mv -f $RESTOREBASE /var/lib/shorewall/restore-base
 
 }
 
@@ -5673,6 +5691,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 
     do_iptables() # $@ = command
     {
+	[ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
 	if ! iptables $@ ; then
 	    startup_error "Can't add $1 to zone $2"
 	fi
@@ -5681,7 +5700,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Isolate interface and host parts
     #
-    interface=${1%:*}
+    interface=${1%%:*}
     host=${1#*:}
 
     [ -z "$host" ] && host="0.0.0.0/0"
@@ -5756,7 +5775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     chain=${zone}_dnat
 
     if nat_chain_exists $chain; then
-	do_iptables -t nat -A $(dynamic_in $interface) -s $host -j $chain
+	do_iptables -t nat -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
     fi
     #
     # Insert new rules into the filter table for the passed interface
@@ -5764,7 +5783,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		do_iptables -A $(dynamic_in $interface) -s $host -j $chain
+		do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@@ -5774,7 +5793,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
+			do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
 		    fi
 		done
 	    fi
@@ -5783,7 +5802,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		#
 		# Add a rule to the dynamic out chain for the interface
 		#
-		do_iptables -A $(dynamic_out $interface) -d $host -j $chain
+		do_iptables -A $(dynamic_out $interface) $(match_destination_hosts $host) -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
 
@@ -5792,7 +5811,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain
+			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
 		    fi
 		done
 	    fi
@@ -5838,7 +5857,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Isolate interface and host parts
     #
-    interface=${1%:*}
+    interface=${1%%:*}
     host=${1#*:}
 
     [ -z "$host" ] && host="0.0.0.0/0"
@@ -5887,14 +5906,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Delete any nat table entries for the host(s)
     #
-    qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat
+    qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) -j ${zone}_dnat
     #
     # Delete rules rules the input chains for the passed interface
     #
     while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		qt iptables -D $(dynamic_in $interface) -s $host -j $chain
+		qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@@ -5904,13 +5923,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
+			qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
 		    fi
 		done
 	    fi
 	elif [ "$z2" = "$zone" ]; then
 	    if [ "$z1" = "$FW" ]; then
-		qt iptables -D $(dynamic_out $interface) -d $host -j $chain
+		qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
 		
@@ -5919,7 +5938,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain
+			qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
 		    fi
 		done
 	    fi

Lrp2/usr/share/shorewall/functions

@@ -52,9 +52,9 @@ qt()
 #
 # Perform variable substitution on the passed argument and echo the result
 #
-expand() # $1 = contents of variable which may be the name of another variable
+expand() # $@ = contents of variable which may be the name of another variable
 {
-    eval echo \"$1\"
+    eval echo \"$@\"
 }
 
 #
@@ -434,7 +434,7 @@ read_file() # $1 = file name, $2 = nest count
 	while read first rest; do
 	    if [ "x$first"  = "xINCLUDE" ]; then
 		if [ $2 -lt 4 ]; then
-		    read_file $(find_file ${rest%#*}) $(($2 + 1))
+		    read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
 		else
 		    echo "   WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
 		fi
@@ -452,7 +452,7 @@ read_file() # $1 = file name, $2 = nest count
 # Function for including one file into another
 #
 INCLUDE() {
-    . $(find_file $@)
+    . $(find_file $(expand $@))
 }
 
 #

Lrp2/usr/share/shorewall/help

@@ -29,11 +29,11 @@
 case $1 in
 
 add)
-	echo "add: add <interface>[:<host>] <zone>
+	echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
     Adds a host or subnet to a dynamic zone usually used with VPN's.
 
-    shorewall add interface[:host] zone - Adds the specified interface
+    shorewall add interface[:port][:host] zone - Adds the specified interface
-    (and host if included) to the specified zone.
+    (and bridge port/host if included) to the specified zone.
 
     Example:
 
@@ -93,11 +93,11 @@ debug)
 	;;
 
 delete)
-	echo "delete: delete <interface>[:<host>] <zone>
+	echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
     Deletes a host or subnet from a dynamic zone usually used with VPN's.
 
-    shorewall delete interface[:host] zone - Deletes the specified
+    shorewall delete interface[:port][:host] zone - Deletes the specified
-    interface (and host if included) from the specified zone.
+    interface (and bridge port/host if included) from the specified zone.
 
     Example:
 

Lrp2/usr/share/shorewall/version

@@ -1 +1 @@
-2.0.11
+2.0.12

STABLE2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.0.11
+VERSION=2.0.12
 
 usage() # $1 = exit status
 {

STABLE2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.0.11
+VERSION=2.0.12
 
 usage() # $1 = exit status
 {

STABLE2/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.0.11
+%define version 2.0.12
 %define release 1
 %define prefix /usr
 
@@ -141,6 +141,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Wed Dec 01 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.0.12-1
 * Mon Nov 22 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.0.11-1
 * Mon Oct 25 2004 Tom Eastep tom@shorewall.net

STABLE2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.0.11
+VERSION=2.0.12
 
 usage() # $1 = exit status
 {