forked from extern/shorewall_code
Shorewall 4.4.19 Changes
This commit is contained in:
parent
2029978050
commit
cc633c5bd9
@ -23,7 +23,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -124,6 +124,7 @@ done
|
|||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
#
|
#
|
||||||
# Determine where to install the firewall script
|
# Determine where to install the firewall script
|
||||||
#
|
#
|
||||||
@ -259,9 +260,9 @@ fi
|
|||||||
# Install the ifupdown script
|
# Install the ifupdown script
|
||||||
#
|
#
|
||||||
|
|
||||||
mkdir -p ${DESTDIR}/usr/share/shorewall-init
|
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-init
|
||||||
|
|
||||||
install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
|
install_file ifupdown.sh ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown 0544
|
||||||
|
|
||||||
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
|
if [ -d ${DESTDIR}/etc/NetworkManager ]; then
|
||||||
install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
|
install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
|
||||||
@ -332,7 +333,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
|
|||||||
if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
|
if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
|
||||||
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
|
||||||
mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
|
mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
|
||||||
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
|
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
|
||||||
done
|
done
|
||||||
elif [ -n "$REDHAT" ]; then
|
elif [ -n "$REDHAT" ]; then
|
||||||
#
|
#
|
||||||
@ -342,13 +343,13 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
|
|||||||
FILE=${DESTDIR}/etc/ppp/$file
|
FILE=${DESTDIR}/etc/ppp/$file
|
||||||
if [ -f $FILE ]; then
|
if [ -f $FILE ]; then
|
||||||
if fgrep -q Shorewall-based $FILE ; then
|
if fgrep -q Shorewall-based $FILE ; then
|
||||||
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
|
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
|
||||||
else
|
else
|
||||||
echo "$FILE already exists -- ppp devices will not be handled"
|
echo "$FILE already exists -- ppp devices will not be handled"
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
|
cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-init
|
%define name shorewall-init
|
||||||
%define version 4.4.18
|
%define version 4.4.19
|
||||||
%define release 1
|
%define release 0Beta4
|
||||||
|
|
||||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -119,10 +119,12 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta4
|
||||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta3
|
||||||
|
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.19-0Beta1
|
||||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-0base
|
- Updated to 4.4.18-0base
|
||||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -60,6 +60,8 @@ else
|
|||||||
VERSION=""
|
VERSION=""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
|
|
||||||
echo "Uninstalling Shorewall Init $VERSION"
|
echo "Uninstalling Shorewall Init $VERSION"
|
||||||
|
|
||||||
INITSCRIPT=/etc/init.d/shorewall-init
|
INITSCRIPT=/etc/init.d/shorewall-init
|
||||||
@ -105,6 +107,7 @@ if [ -d /etc/ppp ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
rm -rf /usr/share/shorewall-init
|
rm -rf /usr/share/shorewall-init
|
||||||
|
rm -rf /usr/${LIBEXEC}/shorewall-init
|
||||||
|
|
||||||
echo "Shorewall Init Uninstalled"
|
echo "Shorewall Init Uninstalled"
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -123,6 +123,7 @@ done
|
|||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
#
|
#
|
||||||
# Determine where to install the firewall script
|
# Determine where to install the firewall script
|
||||||
#
|
#
|
||||||
@ -189,6 +190,7 @@ else
|
|||||||
rm -rf ${DESTDIR}/etc/shorewall-lite
|
rm -rf ${DESTDIR}/etc/shorewall-lite
|
||||||
rm -rf ${DESTDIR}/usr/share/shorewall-lite
|
rm -rf ${DESTDIR}/usr/share/shorewall-lite
|
||||||
rm -rf ${DESTDIR}/var/lib/shorewall-lite
|
rm -rf ${DESTDIR}/var/lib/shorewall-lite
|
||||||
|
[ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -204,6 +206,8 @@ delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
|
|||||||
|
|
||||||
install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
|
install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
|
||||||
|
|
||||||
|
eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
|
||||||
|
|
||||||
echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
|
echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -225,6 +229,7 @@ echo "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
|
|||||||
#
|
#
|
||||||
mkdir -p ${DESTDIR}/etc/shorewall-lite
|
mkdir -p ${DESTDIR}/etc/shorewall-lite
|
||||||
mkdir -p ${DESTDIR}/usr/share/shorewall-lite
|
mkdir -p ${DESTDIR}/usr/share/shorewall-lite
|
||||||
|
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite
|
||||||
mkdir -p ${DESTDIR}/var/lib/shorewall-lite
|
mkdir -p ${DESTDIR}/var/lib/shorewall-lite
|
||||||
|
|
||||||
chmod 755 ${DESTDIR}/etc/shorewall-lite
|
chmod 755 ${DESTDIR}/etc/shorewall-lite
|
||||||
@ -277,20 +282,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functi
|
|||||||
# Install Shorecap
|
# Install Shorecap
|
||||||
#
|
#
|
||||||
|
|
||||||
install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
|
install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
|
echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Install wait4ifup
|
# Install wait4ifup
|
||||||
#
|
#
|
||||||
|
|
||||||
if [ -f wait4ifup ]; then
|
if [ -f wait4ifup ]; then
|
||||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
|
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
|
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -570,6 +570,7 @@ MUTEX_TIMEOUT=
|
|||||||
SHAREDIR=/usr/share/shorewall-lite
|
SHAREDIR=/usr/share/shorewall-lite
|
||||||
CONFDIR=/etc/shorewall-lite
|
CONFDIR=/etc/shorewall-lite
|
||||||
g_product="Shorewall Lite"
|
g_product="Shorewall Lite"
|
||||||
|
g_libexec=share
|
||||||
|
|
||||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-lite
|
%define name shorewall-lite
|
||||||
%define version 4.4.18
|
%define version 4.4.19
|
||||||
%define release 1
|
%define release 0Beta4
|
||||||
|
|
||||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -103,10 +103,12 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta4
|
||||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta3
|
||||||
|
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.19-0Beta1
|
||||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-0base
|
- Updated to 4.4.18-0base
|
||||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -72,6 +72,8 @@ else
|
|||||||
VERSION=""
|
VERSION=""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
|
|
||||||
echo "Uninstalling Shorewall Lite $VERSION"
|
echo "Uninstalling Shorewall Lite $VERSION"
|
||||||
|
|
||||||
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
|
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
|
||||||
@ -107,6 +109,7 @@ rm -rf /etc/shorewall-lite-*.bkout
|
|||||||
rm -rf /var/lib/shorewall-lite
|
rm -rf /var/lib/shorewall-lite
|
||||||
rm -rf /var/lib/shorewall-lite-*.bkout
|
rm -rf /var/lib/shorewall-lite-*.bkout
|
||||||
rm -rf /usr/share/shorewall-lite
|
rm -rf /usr/share/shorewall-lite
|
||||||
|
rm -rf /usr/${LIBEXEC}/shorewall-lite
|
||||||
rm -rf /usr/share/shorewall-lite-*.bkout
|
rm -rf /usr/share/shorewall-lite-*.bkout
|
||||||
rm -f /etc/logrotate.d/shorewall-lite
|
rm -f /etc/logrotate.d/shorewall-lite
|
||||||
|
|
||||||
|
@ -78,6 +78,7 @@ our %EXPORT_TAGS = (
|
|||||||
|
|
||||||
initialize_chain_table
|
initialize_chain_table
|
||||||
add_commands
|
add_commands
|
||||||
|
copy_rules
|
||||||
move_rules
|
move_rules
|
||||||
insert_rule1
|
insert_rule1
|
||||||
delete_jumps
|
delete_jumps
|
||||||
@ -187,7 +188,7 @@ our %EXPORT_TAGS = (
|
|||||||
|
|
||||||
Exporter::export_ok_tags('internal');
|
Exporter::export_ok_tags('internal');
|
||||||
|
|
||||||
our $VERSION = '4.4_18';
|
our $VERSION = '4.4_19';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Chain Table
|
# Chain Table
|
||||||
@ -387,8 +388,8 @@ our %builtin_target = ( ACCEPT => 1,
|
|||||||
# 2. The compiler can run multiple times in the same process so it has to be
|
# 2. The compiler can run multiple times in the same process so it has to be
|
||||||
# able to re-initialize its dependent modules' state.
|
# able to re-initialize its dependent modules' state.
|
||||||
#
|
#
|
||||||
sub initialize( $ ) {
|
sub initialize( $$ ) {
|
||||||
$family = shift;
|
( $family, my $hard ) = @_;
|
||||||
|
|
||||||
%chain_table = ( raw => {},
|
%chain_table = ( raw => {},
|
||||||
mangle => {},
|
mangle => {},
|
||||||
@ -428,7 +429,7 @@ sub initialize( $ ) {
|
|||||||
$idiotcount1 = 0;
|
$idiotcount1 = 0;
|
||||||
$warningcount = 0;
|
$warningcount = 0;
|
||||||
$hashlimitset = 0;
|
$hashlimitset = 0;
|
||||||
$ipset_rules = 0;
|
$ipset_rules = 0 if $hard;
|
||||||
#
|
#
|
||||||
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
|
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
|
||||||
#
|
#
|
||||||
@ -616,6 +617,16 @@ sub handle_port_list( $$$$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This much simpler function splits a rule with an icmp type list into discrete rules
|
||||||
|
#
|
||||||
|
|
||||||
|
sub handle_icmptype_list( $$$$ ) {
|
||||||
|
my ($chainref, $first, $types, $rest) = @_;
|
||||||
|
my @ports = split ',', $types;
|
||||||
|
push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ) while @ports;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Add a rule to a chain. Arguments are:
|
# Add a rule to a chain. Arguments are:
|
||||||
#
|
#
|
||||||
@ -645,6 +656,17 @@ sub add_rule($$;$) {
|
|||||||
# Rule has a --sports specification
|
# Rule has a --sports specification
|
||||||
#
|
#
|
||||||
handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
|
handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
|
||||||
|
} elsif ( $rule =~ /^(.* --icmp(?:v6)?-type\s*)([^ ]+)(.*)$/ ) {
|
||||||
|
#
|
||||||
|
# ICMP rule -- split it up if necessary
|
||||||
|
#
|
||||||
|
my ( $first, $types, $rest ) = ($1, $2, $3 );
|
||||||
|
|
||||||
|
if ( $types =~ /,/ ) {
|
||||||
|
handle_icmptype_list( $chainref, $first, $types, $rest );
|
||||||
|
} else {
|
||||||
|
push_rule( $chainref, $rule );
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
push_rule ( $chainref, $rule );
|
push_rule ( $chainref, $rule );
|
||||||
}
|
}
|
||||||
@ -851,8 +873,8 @@ sub move_rules( $$ ) {
|
|||||||
# Replace the jump at the end of one chain (chain2) with the rules from another chain (chain1).
|
# Replace the jump at the end of one chain (chain2) with the rules from another chain (chain1).
|
||||||
#
|
#
|
||||||
|
|
||||||
sub copy_rules( $$ ) {
|
sub copy_rules( $$;$ ) {
|
||||||
my ($chain1, $chain2 ) = @_;
|
my ($chain1, $chain2, $nojump ) = @_;
|
||||||
|
|
||||||
my $name1 = $chain1->{name};
|
my $name1 = $chain1->{name};
|
||||||
my $name = $name1;
|
my $name = $name1;
|
||||||
@ -868,7 +890,7 @@ sub copy_rules( $$ ) {
|
|||||||
#
|
#
|
||||||
$name1 =~ s/\+/\\+/;
|
$name1 =~ s/\+/\\+/;
|
||||||
|
|
||||||
my $last = pop @$rules2; # Delete the jump to chain1
|
pop @$rules2 unless $nojump; # Delete the jump to chain1
|
||||||
|
|
||||||
if ( $blacklist2 && $blacklist1 ) {
|
if ( $blacklist2 && $blacklist1 ) {
|
||||||
#
|
#
|
||||||
@ -948,12 +970,21 @@ sub zone_forward_chain($) {
|
|||||||
sub use_forward_chain($$) {
|
sub use_forward_chain($$) {
|
||||||
my ( $interface, $chainref ) = @_;
|
my ( $interface, $chainref ) = @_;
|
||||||
my $interfaceref = find_interface($interface);
|
my $interfaceref = find_interface($interface);
|
||||||
|
my $nets = $interfaceref->{nets};
|
||||||
|
|
||||||
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
||||||
#
|
#
|
||||||
# We must use the interfaces's chain if the interface is associated with multiple nets
|
# We must use the interfaces's chain if the interface is associated with multiple zones
|
||||||
#
|
#
|
||||||
return 1 if $interfaceref->{nets} > 1;
|
return 1 if ( keys %{interface_zones $interface} ) > 1;
|
||||||
|
#
|
||||||
|
# Use interface's chain if there are multiple nets on the interface
|
||||||
|
#
|
||||||
|
return 1 if $nets > 1;
|
||||||
|
#
|
||||||
|
# Use interface's chain if it is a bridge with ports
|
||||||
|
#
|
||||||
|
return 1 if $interfaceref->{ports};
|
||||||
|
|
||||||
my $zone = $interfaceref->{zone};
|
my $zone = $interfaceref->{zone};
|
||||||
|
|
||||||
@ -990,10 +1021,18 @@ sub use_input_chain($$) {
|
|||||||
|
|
||||||
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
||||||
#
|
#
|
||||||
# We must use the interfaces's chain if the interface is associated with multiple nets
|
# We must use the interfaces's chain if the interface is associated with multiple Zones
|
||||||
|
#
|
||||||
|
return 1 if ( keys %{interface_zones $interface} ) > 1;
|
||||||
|
#
|
||||||
|
# Use interface's chain if there are multiple nets on the interface
|
||||||
#
|
#
|
||||||
return 1 if $nets > 1;
|
return 1 if $nets > 1;
|
||||||
#
|
#
|
||||||
|
# Use interface's chain if it is a bridge with ports
|
||||||
|
#
|
||||||
|
return 1 if $interfaceref->{ports};
|
||||||
|
#
|
||||||
# Don't need it if it isn't associated with any zone
|
# Don't need it if it isn't associated with any zone
|
||||||
#
|
#
|
||||||
return 0 unless $nets;
|
return 0 unless $nets;
|
||||||
@ -1043,10 +1082,18 @@ sub use_output_chain($$) {
|
|||||||
|
|
||||||
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
|
||||||
#
|
#
|
||||||
# We must use the interfaces's chain if the interface is associated with multiple nets
|
# We must use the interfaces's chain if the interface is associated with multiple Zones
|
||||||
|
#
|
||||||
|
return 1 if ( keys %{interface_zones $interface} ) > 1;
|
||||||
|
#
|
||||||
|
# Use interface's chain if there are multiple nets on the interface
|
||||||
#
|
#
|
||||||
return 1 if $nets > 1;
|
return 1 if $nets > 1;
|
||||||
#
|
#
|
||||||
|
# Use interface's chain if it is a bridge with ports
|
||||||
|
#
|
||||||
|
return 1 if $interfaceref->{ports};
|
||||||
|
#
|
||||||
# Don't need it if it isn't associated with any zone
|
# Don't need it if it isn't associated with any zone
|
||||||
#
|
#
|
||||||
return 0 unless $nets;
|
return 0 unless $nets;
|
||||||
@ -2203,7 +2250,15 @@ sub do_proto( $$$;$ )
|
|||||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
||||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||||
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
|
|
||||||
|
if ( port_count ( $ports ) > 15 ) {
|
||||||
|
if ( $restricted ) {
|
||||||
|
fatal_error "A port list in this file may only have up to 15 ports";
|
||||||
|
} elsif ( $invert ) {
|
||||||
|
fatal_error "An inverted port list may only have up to 15 ports";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$ports = validate_port_list $pname , $ports;
|
$ports = validate_port_list $pname , $ports;
|
||||||
$output .= "-m multiport ${invert}--dports ${ports} ";
|
$output .= "-m multiport ${invert}--dports ${ports} ";
|
||||||
$multiport = 1;
|
$multiport = 1;
|
||||||
@ -2218,7 +2273,15 @@ sub do_proto( $$$;$ )
|
|||||||
if ( $sports ne '' ) {
|
if ( $sports ne '' ) {
|
||||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||||
if ( $multiport ) {
|
if ( $multiport ) {
|
||||||
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $sports ) > 15;
|
|
||||||
|
if ( port_count( $sports ) > 15 ) {
|
||||||
|
if ( $restricted ) {
|
||||||
|
fatal_error "A port list in this file may only have up to 15 ports";
|
||||||
|
} elsif ( $invert ) {
|
||||||
|
fatal_error "An inverted port list may only have up to 15 ports";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$sports = validate_port_list $pname , $sports;
|
$sports = validate_port_list $pname , $sports;
|
||||||
$output .= "-m multiport ${invert}--sports ${sports} ";
|
$output .= "-m multiport ${invert}--sports ${sports} ";
|
||||||
} else {
|
} else {
|
||||||
@ -2233,9 +2296,20 @@ sub do_proto( $$$;$ )
|
|||||||
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
|
fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
|
||||||
if ( $ports ne '' ) {
|
if ( $ports ne '' ) {
|
||||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
|
||||||
$ports = validate_icmp $ports;
|
my $types;
|
||||||
$output .= "${invert}--icmp-type ${ports} ";
|
|
||||||
|
if ( $ports =~ /,/ ) {
|
||||||
|
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||||
|
$types = '';
|
||||||
|
for my $type ( split_list( $ports, 'ICMP type list' ) ) {
|
||||||
|
$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$types = validate_icmp $ports;
|
||||||
|
}
|
||||||
|
|
||||||
|
$output .= "${invert}--icmp-type ${types} ";
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
|
||||||
@ -2246,9 +2320,20 @@ sub do_proto( $$$;$ )
|
|||||||
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
|
fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
|
||||||
if ( $ports ne '' ) {
|
if ( $ports ne '' ) {
|
||||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||||
fatal_error 'Multiple ICMP types are not permitted' if $ports =~ /,/;
|
|
||||||
$ports = validate_icmp6 $ports;
|
my $types;
|
||||||
$output .= "${invert}--icmpv6-type ${ports} ";
|
|
||||||
|
if ( $ports =~ /,/ ) {
|
||||||
|
fatal_error "An inverted ICMP list may only contain a single type" if $invert;
|
||||||
|
$types = '';
|
||||||
|
for my $type ( list_split( $ports, 'ICMP type list' ) ) {
|
||||||
|
$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$types = validate_icmp6 $ports;
|
||||||
|
}
|
||||||
|
|
||||||
|
$output .= "${invert}--icmpv6-type ${types} ";
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
|
||||||
@ -2651,13 +2736,18 @@ sub do_headers( $ ) {
|
|||||||
#
|
#
|
||||||
# Match Source Interface
|
# Match Source Interface
|
||||||
#
|
#
|
||||||
sub match_source_dev( $ ) {
|
sub match_source_dev( $;$ ) {
|
||||||
my $interface = shift;
|
my ( $interface, $nodev ) = @_;;
|
||||||
my $interfaceref = known_interface( $interface );
|
my $interfaceref = known_interface( $interface );
|
||||||
$interface = $interfaceref->{physical} if $interfaceref;
|
$interface = $interfaceref->{physical} if $interfaceref;
|
||||||
return '' if $interface eq '+';
|
return '' if $interface eq '+';
|
||||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
|
if ( $nodev ) {
|
||||||
|
"-m physdev --physdev-in $interface ";
|
||||||
|
} else {
|
||||||
|
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||||
|
"-i $bridgeref->{physical} -m physdev --physdev-in $interface ";
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
"-i $interface ";
|
"-i $interface ";
|
||||||
}
|
}
|
||||||
@ -2666,16 +2756,26 @@ sub match_source_dev( $ ) {
|
|||||||
#
|
#
|
||||||
# Match Dest device
|
# Match Dest device
|
||||||
#
|
#
|
||||||
sub match_dest_dev( $ ) {
|
sub match_dest_dev( $;$ ) {
|
||||||
my $interface = shift;
|
my ( $interface, $nodev ) = @_;;
|
||||||
my $interfaceref = known_interface( $interface );
|
my $interfaceref = known_interface( $interface );
|
||||||
$interface = $interfaceref->{physical} if $interfaceref;
|
$interface = $interfaceref->{physical} if $interfaceref;
|
||||||
return '' if $interface eq '+';
|
return '' if $interface eq '+';
|
||||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
if ( $nodev ) {
|
||||||
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
|
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||||
|
"-m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||||
|
} else {
|
||||||
|
"-m physdev --physdev-out $interface ";
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
|
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||||
|
|
||||||
|
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||||
|
"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||||
|
} else {
|
||||||
|
"-o $bridgeref->{physical} -m physdev --physdev-out $interface ";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
"-o $interface ";
|
"-o $interface ";
|
||||||
|
@ -55,7 +55,7 @@ our $family;
|
|||||||
#
|
#
|
||||||
sub initialize_package_globals() {
|
sub initialize_package_globals() {
|
||||||
Shorewall::Config::initialize($family);
|
Shorewall::Config::initialize($family);
|
||||||
Shorewall::Chains::initialize ($family);
|
Shorewall::Chains::initialize ($family, 1);
|
||||||
Shorewall::Zones::initialize ($family);
|
Shorewall::Zones::initialize ($family);
|
||||||
Shorewall::Nat::initialize;
|
Shorewall::Nat::initialize;
|
||||||
Shorewall::Providers::initialize($family);
|
Shorewall::Providers::initialize($family);
|
||||||
@ -818,7 +818,7 @@ sub compiler {
|
|||||||
# We must reinitialize Shorewall::Chains before generating the iptables-restore input
|
# We must reinitialize Shorewall::Chains before generating the iptables-restore input
|
||||||
# for stopping the firewall
|
# for stopping the firewall
|
||||||
#
|
#
|
||||||
Shorewall::Chains::initialize( $family );
|
Shorewall::Chains::initialize( $family, 0 );
|
||||||
initialize_chain_table;
|
initialize_chain_table;
|
||||||
#
|
#
|
||||||
# S T O P _ F I R E W A L L
|
# S T O P _ F I R E W A L L
|
||||||
@ -882,7 +882,7 @@ sub compiler {
|
|||||||
# Re-initialize the chain table so that process_routestopped() has the same
|
# Re-initialize the chain table so that process_routestopped() has the same
|
||||||
# environment that it would when called by compile_stop_firewall().
|
# environment that it would when called by compile_stop_firewall().
|
||||||
#
|
#
|
||||||
Shorewall::Chains::initialize( $family );
|
Shorewall::Chains::initialize( $family , 0 );
|
||||||
initialize_chain_table;
|
initialize_chain_table;
|
||||||
|
|
||||||
if ( $debug ) {
|
if ( $debug ) {
|
||||||
|
@ -37,6 +37,7 @@ use File::Temp qw/ tempfile tempdir /;
|
|||||||
use Cwd qw(abs_path getcwd);
|
use Cwd qw(abs_path getcwd);
|
||||||
use autouse 'Carp' => qw(longmess confess);
|
use autouse 'Carp' => qw(longmess confess);
|
||||||
use Scalar::Util 'reftype';
|
use Scalar::Util 'reftype';
|
||||||
|
use FindBin;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
#
|
#
|
||||||
@ -137,7 +138,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
|||||||
|
|
||||||
Exporter::export_ok_tags('internal');
|
Exporter::export_ok_tags('internal');
|
||||||
|
|
||||||
our $VERSION = '4.4_18';
|
our $VERSION = '4.4_19';
|
||||||
|
|
||||||
#
|
#
|
||||||
# describe the current command, it's present progressive, and it's completion.
|
# describe the current command, it's present progressive, and it's completion.
|
||||||
@ -410,7 +411,7 @@ sub initialize( $ ) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
UNTRACKED => 0,
|
UNTRACKED => 0,
|
||||||
VERSION => "4.4.18.1",
|
VERSION => "4.4.19-Beta4",
|
||||||
CAPVERSION => 40417 ,
|
CAPVERSION => 40417 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -2906,7 +2907,7 @@ sub get_params() {
|
|||||||
if ( -f $fn ) {
|
if ( -f $fn ) {
|
||||||
progress_message2 "Processing $fn ...";
|
progress_message2 "Processing $fn ...";
|
||||||
|
|
||||||
my $command = "$globals{SHAREDIRPL}/getparams $fn " . join( ':', @config_path );
|
my $command = "$FindBin::Bin/getparams $fn " . join( ':', @config_path );
|
||||||
#
|
#
|
||||||
# getparams silently sources the params file under 'set -a', then executes 'export -p'
|
# getparams silently sources the params file under 'set -a', then executes 'export -p'
|
||||||
#
|
#
|
||||||
@ -2947,7 +2948,7 @@ sub get_params() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} elsif ( $params[0] =~ /^export (.*?)="/ || $params[0] =~ /^export ([^\s=]+)\s*$/ ) {
|
} elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) {
|
||||||
#
|
#
|
||||||
# getparams interpreted by older (e.g., RHEL 5) Bash
|
# getparams interpreted by older (e.g., RHEL 5) Bash
|
||||||
#
|
#
|
||||||
@ -3004,7 +3005,7 @@ sub get_params() {
|
|||||||
print "PARAMS:\n";
|
print "PARAMS:\n";
|
||||||
my $value;
|
my $value;
|
||||||
while ( ($variable, $value ) = each %params ) {
|
while ( ($variable, $value ) = each %params ) {
|
||||||
print " $variable='$value'\n";
|
print " $variable='$value'\n" unless $compiler_params{$variable};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -3084,6 +3085,7 @@ sub get_configuration( $ ) {
|
|||||||
|
|
||||||
get_capabilities( $export );
|
get_capabilities( $export );
|
||||||
|
|
||||||
|
|
||||||
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
|
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
|
||||||
|
|
||||||
if ( my $rate = $config{LOGLIMIT} ) {
|
if ( my $rate = $config{LOGLIMIT} ) {
|
||||||
|
@ -45,7 +45,7 @@ our @EXPORT = qw( process_tos
|
|||||||
generate_matrix
|
generate_matrix
|
||||||
);
|
);
|
||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = '4.4_18';
|
our $VERSION = '4.4_19';
|
||||||
|
|
||||||
our $family;
|
our $family;
|
||||||
|
|
||||||
@ -1036,13 +1036,40 @@ sub add_interface_jumps {
|
|||||||
my $outputref = $filter_table->{output_chain $interface};
|
my $outputref = $filter_table->{output_chain $interface};
|
||||||
my $interfaceref = find_interface($interface);
|
my $interfaceref = find_interface($interface);
|
||||||
|
|
||||||
add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
if ( $interfaceref->{options}{port} ) {
|
||||||
|
my $bridge = $interfaceref->{bridge};
|
||||||
|
add_rule ( $filter_table->{forward_chain $bridge},
|
||||||
|
match_source_dev( $interface, 1) . match_dest_dev( $interface, 1) . '-j ACCEPT'
|
||||||
|
) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||||
|
|
||||||
add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
|
add_jump( $filter_table->{forward_chain $bridge} ,
|
||||||
add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
$forwardref ,
|
||||||
|
0,
|
||||||
|
match_source_dev( $interface, 1 )
|
||||||
|
) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
|
||||||
|
|
||||||
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
|
add_jump( $filter_table->{input_chain $bridge },
|
||||||
add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
|
$inputref ,
|
||||||
|
0,
|
||||||
|
match_source_dev( $interface, 1 )
|
||||||
|
) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
||||||
|
|
||||||
|
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
|
||||||
|
add_jump( $filter_table->{output_chain $bridge} ,
|
||||||
|
$outputref ,
|
||||||
|
0 ,
|
||||||
|
match_dest_dev( $interface, 1 ) )
|
||||||
|
unless get_interface_option( $interface, 'port' );
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
add_rule ( $filter_table->{FORWAR}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||||
|
|
||||||
|
add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
|
||||||
|
add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
||||||
|
|
||||||
|
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
|
||||||
|
add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1077,6 +1104,7 @@ sub generate_matrix() {
|
|||||||
our %input_jump_added = ();
|
our %input_jump_added = ();
|
||||||
our %output_jump_added = ();
|
our %output_jump_added = ();
|
||||||
our %forward_jump_added = ();
|
our %forward_jump_added = ();
|
||||||
|
my %ipsec_jump_added = ();
|
||||||
|
|
||||||
progress_message2 'Generating Rule Matrix...';
|
progress_message2 'Generating Rule Matrix...';
|
||||||
progress_message ' Handling blacklisting and complex zones...';
|
progress_message ' Handling blacklisting and complex zones...';
|
||||||
@ -1143,12 +1171,31 @@ sub generate_matrix() {
|
|||||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
|
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
|
||||||
my $sourcechainref = $filter_table->{forward_chain $interface};
|
my $sourcechainref = $filter_table->{forward_chain $interface};
|
||||||
my $interfacematch = '';
|
my $interfacematch = '';
|
||||||
|
my $interfaceref = find_interface $interface;
|
||||||
|
|
||||||
if ( use_forward_chain( $interface, $sourcechainref ) ) {
|
if ( use_forward_chain( $interface, $sourcechainref ) ) {
|
||||||
add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
if ( $interfaceref->{ports} && $interfaceref->{options}{bridge} ) {
|
||||||
|
$interfacematch = match_source_dev $interface;
|
||||||
|
copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
|
||||||
|
$sourcechainref = $filter_table->{FORWARD};
|
||||||
|
} elsif ( $interfaceref->{options}{port} ) {
|
||||||
|
add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
|
||||||
|
$sourcechainref ,
|
||||||
|
0 ,
|
||||||
|
match_source_dev( $interface , 1 ) )
|
||||||
|
unless $forward_jump_added{$interface}++;
|
||||||
|
} else {
|
||||||
|
add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
$sourcechainref = $filter_table->{FORWARD};
|
if ( $interfaceref->{options}{port} ) {
|
||||||
$interfacematch = match_source_dev $interface;
|
$sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
|
||||||
|
$interfacematch = match_source_dev $interface, 1;
|
||||||
|
} else {
|
||||||
|
$sourcechainref = $filter_table->{FORWARD};
|
||||||
|
$interfacematch = match_source_dev $interface;
|
||||||
|
}
|
||||||
|
|
||||||
move_rules( $filter_table->{forward_chain $interface} , $frwd_ref );
|
move_rules( $filter_table->{forward_chain $interface} , $frwd_ref );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1235,6 +1282,9 @@ sub generate_matrix() {
|
|||||||
for my $typeref ( values %$source_hosts_ref ) {
|
for my $typeref ( values %$source_hosts_ref ) {
|
||||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
||||||
my $arrayref = $typeref->{$interface};
|
my $arrayref = $typeref->{$interface};
|
||||||
|
my $interfaceref = find_interface $interface;
|
||||||
|
my $isport = $interfaceref->{options}{port};
|
||||||
|
my $bridge = $interfaceref->{bridge};
|
||||||
|
|
||||||
if ( get_physical( $interface ) eq '+' ) {
|
if ( get_physical( $interface ) eq '+' ) {
|
||||||
#
|
#
|
||||||
@ -1261,7 +1311,17 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
|
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
|
||||||
$outputref = $interfacechainref;
|
$outputref = $interfacechainref;
|
||||||
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
|
||||||
|
if ( $isport ) {
|
||||||
|
add_jump( $filter_table->{ output_chain $bridge },
|
||||||
|
$outputref ,
|
||||||
|
0 ,
|
||||||
|
match_dest_dev( $interface, 1 ) )
|
||||||
|
unless $output_jump_added{$interface}++;
|
||||||
|
} else {
|
||||||
|
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||||
|
}
|
||||||
|
|
||||||
$use_output = 1;
|
$use_output = 1;
|
||||||
|
|
||||||
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
||||||
@ -1269,6 +1329,9 @@ sub generate_matrix() {
|
|||||||
generate_source_rules ( $outputref, $vzone, $zone, $dest );
|
generate_source_rules ( $outputref, $vzone, $zone, $dest );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
} elsif ( $isport ) {
|
||||||
|
$outputref = $filter_table->{ output_chain $bridge };
|
||||||
|
$interfacematch = match_dest_dev $interface, 1;
|
||||||
} else {
|
} else {
|
||||||
$outputref = $filter_table->{OUTPUT};
|
$outputref = $filter_table->{OUTPUT};
|
||||||
$interfacematch = match_dest_dev $interface;
|
$interfacematch = match_dest_dev $interface;
|
||||||
@ -1323,7 +1386,17 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
|
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
|
||||||
$inputchainref = $interfacechainref;
|
$inputchainref = $interfacechainref;
|
||||||
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
|
|
||||||
|
if ( $isport ) {
|
||||||
|
add_jump( $filter_table->{ input_chain $bridge },
|
||||||
|
$inputchainref ,
|
||||||
|
0 ,
|
||||||
|
match_source_dev($interface, 1) )
|
||||||
|
unless $input_jump_added{$interface}++;
|
||||||
|
} else {
|
||||||
|
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
|
||||||
|
}
|
||||||
|
|
||||||
$use_input = 1;
|
$use_input = 1;
|
||||||
|
|
||||||
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
||||||
@ -1332,6 +1405,9 @@ sub generate_matrix() {
|
|||||||
generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
|
generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
} elsif ( $isport ) {
|
||||||
|
$inputchainref = $filter_table->{ input_chain $bridge };
|
||||||
|
$interfacematch = match_source_dev $interface, 1;
|
||||||
} else {
|
} else {
|
||||||
$inputchainref = $filter_table->{INPUT};
|
$inputchainref = $filter_table->{INPUT};
|
||||||
$interfacematch = match_source_dev $interface;
|
$interfacematch = match_source_dev $interface;
|
||||||
@ -1345,11 +1421,29 @@ sub generate_matrix() {
|
|||||||
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
|
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
|
||||||
my $ref = source_exclusion( $exclusions, $frwd_ref );
|
my $ref = source_exclusion( $exclusions, $frwd_ref );
|
||||||
my $forwardref = $filter_table->{forward_chain $interface};
|
my $forwardref = $filter_table->{forward_chain $interface};
|
||||||
|
|
||||||
if ( use_forward_chain $interface, $forwardref ) {
|
if ( use_forward_chain $interface, $forwardref ) {
|
||||||
add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
|
add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
|
||||||
add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
|
||||||
|
if ( $isport ) {
|
||||||
|
add_jump( $filter_table->{ forward_chain $bridge } ,
|
||||||
|
$forwardref ,
|
||||||
|
0 ,
|
||||||
|
match_source_dev( $interface , 1 ) )
|
||||||
|
unless $forward_jump_added{$interface}++;
|
||||||
|
} else {
|
||||||
|
add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
|
if ( $isport ) {
|
||||||
|
add_jump( $filter_table->{ forward_chain $bridge } ,
|
||||||
|
$ref ,
|
||||||
|
0 ,
|
||||||
|
join( '', match_source_dev( $interface, 1 ) , $source, $ipsec_in_match ) );
|
||||||
|
} else {
|
||||||
|
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
|
||||||
|
}
|
||||||
|
|
||||||
move_rules ( $forwardref , $frwd_ref );
|
move_rules ( $forwardref , $frwd_ref );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1461,6 +1555,7 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
for my $typeref ( values %$source_hosts_ref ) {
|
for my $typeref ( values %$source_hosts_ref ) {
|
||||||
for my $interface ( keys %$typeref ) {
|
for my $interface ( keys %$typeref ) {
|
||||||
|
my $interfaceref = find_interface $interface;
|
||||||
my $chain3ref;
|
my $chain3ref;
|
||||||
my $match_source_dev = '';
|
my $match_source_dev = '';
|
||||||
my $forwardchainref = $filter_table->{forward_chain $interface};
|
my $forwardchainref = $filter_table->{forward_chain $interface};
|
||||||
@ -1470,13 +1565,28 @@ sub generate_matrix() {
|
|||||||
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
|
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
|
||||||
#
|
#
|
||||||
$chain3ref = $forwardchainref;
|
$chain3ref = $forwardchainref;
|
||||||
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
|
||||||
|
if ( $interfaceref->{options}{port} ) {
|
||||||
|
add_jump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
|
||||||
|
$chain3ref,
|
||||||
|
0 ,
|
||||||
|
match_source_dev( $interface , 1 ) )
|
||||||
|
unless $forward_jump_added{$interface}++;
|
||||||
|
} else {
|
||||||
|
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
#
|
#
|
||||||
# Don't use the interface's forward chain -- move any rules in that chain to this rules chain
|
# Don't use the interface's forward chain -- move any rules in that chain to this rules chain
|
||||||
#
|
#
|
||||||
$chain3ref = $filter_table->{FORWARD};
|
if ( $interfaceref->{options}{port} ) {
|
||||||
$match_source_dev = match_source_dev $interface;
|
$chain3ref = $filter_table->{ forward_chain $interfaceref->{bridge} };
|
||||||
|
$match_source_dev = match_source_dev $interface, 1;
|
||||||
|
} else {
|
||||||
|
$chain3ref = $filter_table->{FORWARD};
|
||||||
|
$match_source_dev = match_source_dev $interface;
|
||||||
|
}
|
||||||
|
|
||||||
move_rules $forwardchainref, $chainref;
|
move_rules $forwardchainref, $chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2235,7 +2235,7 @@ sub build_zone_list( $$$\$\$ ) {
|
|||||||
# Process a Record in the rules file
|
# Process a Record in the rules file
|
||||||
#
|
#
|
||||||
sub process_rule ( ) {
|
sub process_rule ( ) {
|
||||||
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands;
|
my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands;
|
||||||
|
|
||||||
process_comment, return 1 if $target eq 'COMMENT';
|
process_comment, return 1 if $target eq 'COMMENT';
|
||||||
process_section( $source ), return 1 if $target eq 'SECTION';
|
process_section( $source ), return 1 if $target eq 'SECTION';
|
||||||
@ -2257,32 +2257,39 @@ sub process_rule ( ) {
|
|||||||
my $fw = firewall_zone;
|
my $fw = firewall_zone;
|
||||||
my @source = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
|
my @source = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
|
||||||
my @dest = build_zone_list ( $fw, $dest, 'DEST' , $intrazone, $wild );
|
my @dest = build_zone_list ( $fw, $dest, 'DEST' , $intrazone, $wild );
|
||||||
|
my @protos = split_list1 $protos, 'Protocol';
|
||||||
my $generated = 0;
|
my $generated = 0;
|
||||||
|
|
||||||
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
|
fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
|
||||||
|
|
||||||
|
if ( @protos > 1 ) {
|
||||||
|
fatal_error "Inversion not allowed in a PROTO list" if $protos =~ tr/!/!/;
|
||||||
|
}
|
||||||
|
|
||||||
for $source ( @source ) {
|
for $source ( @source ) {
|
||||||
for $dest ( @dest ) {
|
for $dest ( @dest ) {
|
||||||
my $sourcezone = (split( /:/, $source, 2 ) )[0];
|
my $sourcezone = (split( /:/, $source, 2 ) )[0];
|
||||||
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
||||||
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
|
$destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
|
||||||
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
|
if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
|
||||||
$generated |= process_rule1( undef,
|
for my $proto ( @protos ) {
|
||||||
$target,
|
$generated |= process_rule1( undef,
|
||||||
'',
|
$target,
|
||||||
$source,
|
'',
|
||||||
$dest,
|
$source,
|
||||||
$proto,
|
$dest,
|
||||||
$ports,
|
$proto,
|
||||||
$sports,
|
$ports,
|
||||||
$origdest,
|
$sports,
|
||||||
$ratelimit,
|
$origdest,
|
||||||
$user,
|
$ratelimit,
|
||||||
$mark,
|
$user,
|
||||||
$connlimit,
|
$mark,
|
||||||
$time,
|
$connlimit,
|
||||||
$headers,
|
$time,
|
||||||
$wild );
|
$headers,
|
||||||
|
$wild );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -40,7 +40,7 @@ use strict;
|
|||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( setup_tc );
|
our @EXPORT = qw( setup_tc );
|
||||||
our @EXPORT_OK = qw( process_tc_rule initialize );
|
our @EXPORT_OK = qw( process_tc_rule initialize );
|
||||||
our $VERSION = '4.4_18';
|
our $VERSION = '4.4_19';
|
||||||
|
|
||||||
our %tcs = ( T => { chain => 'tcpost',
|
our %tcs = ( T => { chain => 'tcpost',
|
||||||
connmark => 0,
|
connmark => 0,
|
||||||
@ -476,6 +476,8 @@ sub process_simple_device() {
|
|||||||
|
|
||||||
my $number = in_hexp( $tcdevices{$device} = ++$devnum );
|
my $number = in_hexp( $tcdevices{$device} = ++$devnum );
|
||||||
|
|
||||||
|
my $ip32 = $family == F_IPV4 ? 'ip' : 'ip6';
|
||||||
|
|
||||||
fatal_error "Unknown interface( $device )" unless known_interface $device;
|
fatal_error "Unknown interface( $device )" unless known_interface $device;
|
||||||
|
|
||||||
my $physical = physical_name $device;
|
my $physical = physical_name $device;
|
||||||
@ -517,7 +519,7 @@ sub process_simple_device() {
|
|||||||
);
|
);
|
||||||
|
|
||||||
emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
|
emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
|
||||||
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
|
"run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src " . ALLIP . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
|
||||||
) if $in_bandwidth;
|
) if $in_bandwidth;
|
||||||
|
|
||||||
if ( $out_part ne '-' ) {
|
if ( $out_part ne '-' ) {
|
||||||
@ -566,10 +568,12 @@ sub process_simple_device() {
|
|||||||
|
|
||||||
for ( my $i = 1; $i <= 3; $i++ ) {
|
for ( my $i = 1; $i <= 3; $i++ ) {
|
||||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||||
emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
|
emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
|
||||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||||
emit '';
|
emit '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match $ip32 protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n";
|
||||||
|
|
||||||
save_progress_message_short qq(" TC Device $physical defined.");
|
save_progress_message_short qq(" TC Device $physical defined.");
|
||||||
|
|
||||||
|
@ -74,6 +74,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
find_interfaces_by_option1
|
find_interfaces_by_option1
|
||||||
get_interface_option
|
get_interface_option
|
||||||
set_interface_option
|
set_interface_option
|
||||||
|
interface_zones
|
||||||
verify_required_interfaces
|
verify_required_interfaces
|
||||||
compile_updown
|
compile_updown
|
||||||
validate_hosts_file
|
validate_hosts_file
|
||||||
@ -84,7 +85,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
);
|
);
|
||||||
|
|
||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = '4.4_17';
|
our $VERSION = '4.4_19';
|
||||||
|
|
||||||
#
|
#
|
||||||
# IPSEC Option types
|
# IPSEC Option types
|
||||||
@ -146,16 +147,20 @@ our %reservedName = ( all => 1,
|
|||||||
# %interfaces { <interface1> => { name => <name of interface>
|
# %interfaces { <interface1> => { name => <name of interface>
|
||||||
# root => <name without trailing '+'>
|
# root => <name without trailing '+'>
|
||||||
# options => { port => undef|1
|
# options => { port => undef|1
|
||||||
# <option1> = <val1> , #See %validinterfaceoptions
|
# { <option1> } => <val1> , #See %validinterfaceoptions
|
||||||
# ...
|
# ...
|
||||||
# }
|
# }
|
||||||
# zone => <zone name>
|
# zone => <zone name>
|
||||||
|
# multizone => undef|1 #More than one zone interfaces through this interface
|
||||||
# nets => <number of nets in interface/hosts records referring to this interface>
|
# nets => <number of nets in interface/hosts records referring to this interface>
|
||||||
# bridge => <bridge>
|
# bridge => <bridge>
|
||||||
|
# ports => <number of port on this bridge>
|
||||||
|
# ipsec => undef|1 # Has an ipsec host group
|
||||||
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
|
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
|
||||||
# number => <ordinal position in the interfaces file>
|
# number => <ordinal position in the interfaces file>
|
||||||
# physical => <physical interface name>
|
# physical => <physical interface name>
|
||||||
# base => <shell variable base representing this interface>
|
# base => <shell variable base representing this interface>
|
||||||
|
# zones => { zone1 => 1, ... }
|
||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
#
|
#
|
||||||
@ -668,6 +673,7 @@ sub add_group_to_zone($$$$$)
|
|||||||
my $interfaceref;
|
my $interfaceref;
|
||||||
my $zoneref = $zones{$zone};
|
my $zoneref = $zones{$zone};
|
||||||
my $zonetype = $zoneref->{type};
|
my $zonetype = $zoneref->{type};
|
||||||
|
|
||||||
|
|
||||||
$zoneref->{interfaces}{$interface} = 1;
|
$zoneref->{interfaces}{$interface} = 1;
|
||||||
|
|
||||||
@ -680,6 +686,8 @@ sub add_group_to_zone($$$$$)
|
|||||||
for my $host ( @$networks ) {
|
for my $host ( @$networks ) {
|
||||||
$interfaceref = $interfaces{$interface};
|
$interfaceref = $interfaces{$interface};
|
||||||
|
|
||||||
|
$interfaceref->{zones}{$zone} = 1;
|
||||||
|
|
||||||
$interfaceref->{nets}++;
|
$interfaceref->{nets}++;
|
||||||
|
|
||||||
fatal_error "Invalid Host List" unless defined $host and $host ne '';
|
fatal_error "Invalid Host List" unless defined $host and $host ne '';
|
||||||
@ -883,6 +891,7 @@ sub process_interface( $$ ) {
|
|||||||
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
||||||
|
|
||||||
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
|
fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
|
||||||
|
$interfaces{$interface}{ports}++;
|
||||||
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
|
fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
|
||||||
|
|
||||||
if ( $zone ) {
|
if ( $zone ) {
|
||||||
@ -1100,7 +1109,8 @@ sub process_interface( $$ ) {
|
|||||||
options => \%options ,
|
options => \%options ,
|
||||||
zone => '',
|
zone => '',
|
||||||
physical => $physical ,
|
physical => $physical ,
|
||||||
base => chain_base( $physical )
|
base => chain_base( $physical ),
|
||||||
|
zones => {},
|
||||||
};
|
};
|
||||||
|
|
||||||
if ( $zone ) {
|
if ( $zone ) {
|
||||||
@ -1306,6 +1316,16 @@ sub source_port_to_bridge( $ ) {
|
|||||||
return $portref ? $portref->{bridge} : '';
|
return $portref ? $portref->{bridge} : '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Returns a hash reference for the zones interface through the interface
|
||||||
|
#
|
||||||
|
sub interface_zones( $ ) {
|
||||||
|
my $interfaceref = $interfaces{(shift)};
|
||||||
|
|
||||||
|
$interfaceref->{zones};
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Return the 'optional' setting of the passed interface
|
# Return the 'optional' setting of the passed interface
|
||||||
#
|
#
|
||||||
@ -1690,7 +1710,7 @@ sub process_host( ) {
|
|||||||
fatal_error "Unknown ZONE ($zone)" unless $type;
|
fatal_error "Unknown ZONE ($zone)" unless $type;
|
||||||
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
|
fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
|
||||||
|
|
||||||
my $interface;
|
my ( $interface, $interfaceref );
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
||||||
@ -1703,7 +1723,7 @@ sub process_host( ) {
|
|||||||
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||||
}
|
}
|
||||||
@ -1711,16 +1731,16 @@ sub process_host( ) {
|
|||||||
$interface = $1;
|
$interface = $1;
|
||||||
$hosts = $2;
|
$hosts = $2;
|
||||||
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
||||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $type == BPORT ) {
|
if ( $type == BPORT ) {
|
||||||
if ( $zoneref->{bridge} eq '' ) {
|
if ( $zoneref->{bridge} eq '' ) {
|
||||||
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
|
fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
|
||||||
$zoneref->{bridge} = $interfaces{$interface}{bridge};
|
$zoneref->{bridge} = $interfaces{$interface}{bridge};
|
||||||
} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
|
} elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
|
||||||
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1736,7 +1756,7 @@ sub process_host( ) {
|
|||||||
require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
|
require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
|
||||||
$type = IPSEC;
|
$type = IPSEC;
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{options}{complex} = 1;
|
||||||
$ipsec = 1;
|
$ipsec = $interfaceref->{ipsec} = 1;
|
||||||
} elsif ( $option eq 'norfc1918' ) {
|
} elsif ( $option eq 'norfc1918' ) {
|
||||||
warning_message "The 'norfc1918' host option is no longer supported"
|
warning_message "The 'norfc1918' host option is no longer supported"
|
||||||
} elsif ( $option eq 'blacklist' ) {
|
} elsif ( $option eq 'blacklist' ) {
|
||||||
@ -1778,6 +1798,7 @@ sub process_host( ) {
|
|||||||
$ipsets{"${zone}_${physical}"} = 1;
|
$ipsets{"${zone}_${physical}"} = 1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
|
# We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
|
||||||
#
|
#
|
||||||
|
@ -1,10 +1,42 @@
|
|||||||
Changes in Shorewall 4.4.18.1
|
Changes in Shorewall 4.4.19 RC 1
|
||||||
|
|
||||||
1) Fix params processing bug.
|
1) Fix logical naming and bridge.
|
||||||
|
|
||||||
2) Tighten editing of TC_PRIOMAP value.
|
Changes in Shorewall 4.4.19 Beta 4
|
||||||
|
|
||||||
3) Fix the Lite installers
|
1) Handle mis-configured ipsec host group on a bridge.
|
||||||
|
|
||||||
|
2) Significantly improve bridge/ports handling.
|
||||||
|
|
||||||
|
3) Allow port-lists in /etc/shorewall/rules.
|
||||||
|
|
||||||
|
Changes in Shorewall 4.4.19 Beta 3
|
||||||
|
|
||||||
|
1) Allow /usr executables to be installed in a designated location.
|
||||||
|
|
||||||
|
2) Allow Shorewall perl modules to be installed in a designated
|
||||||
|
location.
|
||||||
|
|
||||||
|
Changes in Shorewall 4.4.19 Beta 2
|
||||||
|
|
||||||
|
1) Minor rework of init-log creation in the installer.
|
||||||
|
|
||||||
|
2) Add VRRP macro.
|
||||||
|
|
||||||
|
3) Fix more params processing bugs.
|
||||||
|
|
||||||
|
4) Do a better job of editing ICMP type lists.
|
||||||
|
|
||||||
|
5) Allow /usr executables to be installed in a designated location.
|
||||||
|
|
||||||
|
6) Allow Shorewall perl modules to be installed in a designated
|
||||||
|
location.
|
||||||
|
|
||||||
|
Changes in Shorewall 4.4.19 Beta 1
|
||||||
|
|
||||||
|
1) Place ACK packets in the highest priority band.
|
||||||
|
|
||||||
|
2) Break ICMP lists into individual rules.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.18 Final
|
Changes in Shorewall 4.4.18 Final
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -107,6 +107,9 @@ fi
|
|||||||
|
|
||||||
SPARSE=
|
SPARSE=
|
||||||
MANDIR=${MANDIR:-"/usr/share/man"}
|
MANDIR=${MANDIR:-"/usr/share/man"}
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
|
[ -n "${PERLLIB:=share/shorewall}" ]
|
||||||
|
|
||||||
INSTALLD='-D'
|
INSTALLD='-D'
|
||||||
|
|
||||||
case $(uname) in
|
case $(uname) in
|
||||||
@ -233,9 +236,13 @@ fi
|
|||||||
if [ -z "$CYGWIN" ]; then
|
if [ -z "$CYGWIN" ]; then
|
||||||
install_file shorewall ${DESTDIR}/sbin/shorewall 0755
|
install_file shorewall ${DESTDIR}/sbin/shorewall 0755
|
||||||
echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
|
echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
|
||||||
|
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
|
||||||
|
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
|
||||||
else
|
else
|
||||||
install_file shorewall ${DESTDIR}/bin/shorewall 0755
|
install_file shorewall ${DESTDIR}/bin/shorewall 0755
|
||||||
echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
|
echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
|
||||||
|
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall
|
||||||
|
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -258,7 +265,8 @@ fi
|
|||||||
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
|
||||||
#
|
#
|
||||||
mkdir -p ${DESTDIR}/etc/shorewall
|
mkdir -p ${DESTDIR}/etc/shorewall
|
||||||
mkdir -p ${DESTDIR}/usr/share/shorewall
|
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall
|
||||||
|
mkdir -p ${DESTDIR}/usr/${PERLLIB}/Shorewall
|
||||||
mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
|
mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
|
||||||
mkdir -p ${DESTDIR}/var/lib/shorewall
|
mkdir -p ${DESTDIR}/var/lib/shorewall
|
||||||
|
|
||||||
@ -326,7 +334,7 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
|
|||||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755
|
install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall/wait4ifup"
|
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Install the policy file
|
# Install the policy file
|
||||||
@ -816,14 +824,14 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
|
|||||||
#
|
#
|
||||||
cd Perl
|
cd Perl
|
||||||
|
|
||||||
install_file compiler.pl ${DESTDIR}/usr/share/shorewall/compiler.pl 0755
|
install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
|
echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
|
||||||
#
|
#
|
||||||
# Install the params file helper
|
# Install the params file helper
|
||||||
#
|
#
|
||||||
install_file getparams ${DESTDIR}/usr/share/shorewall/getparams 0755
|
install_file getparams ${DESTDIR}/usr/${LIBEXEC}/shorewall/getparams 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
|
echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
|
||||||
@ -831,8 +839,8 @@ echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
|
|||||||
# Install the libraries
|
# Install the libraries
|
||||||
#
|
#
|
||||||
for f in Shorewall/*.pm ; do
|
for f in Shorewall/*.pm ; do
|
||||||
install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
|
install_file $f ${DESTDIR}/usr/${PERLLIB}/$f 0644
|
||||||
echo "Module ${f%.*} installed as ${DESTDIR}/usr/share/shorewall/$f"
|
echo "Module ${f%.*} installed as ${DESTDIR}/usr/${PERLLIB}/$f"
|
||||||
done
|
done
|
||||||
#
|
#
|
||||||
# Install the program skeleton files
|
# Install the program skeleton files
|
||||||
@ -893,6 +901,7 @@ fi
|
|||||||
if [ -z "$DESTDIR" ]; then
|
if [ -z "$DESTDIR" ]; then
|
||||||
rm -rf /usr/share/shorewall-perl
|
rm -rf /usr/share/shorewall-perl
|
||||||
rm -rf /usr/share/shorewall-shell
|
rm -rf /usr/share/shorewall-shell
|
||||||
|
[ "$PERLLIB" != share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
|
||||||
|
@ -1,26 +1,3 @@
|
|||||||
1) On systems running Upstart, shorewall-init cannot reliably secure
|
1) On systems running Upstart, shorewall-init cannot reliably secure
|
||||||
the firewall before interfaces are brought up.
|
the firewall before interfaces are brought up.
|
||||||
|
|
||||||
2) An issue with params processing on RHEL6 manifested as the
|
|
||||||
following type of warning:
|
|
||||||
|
|
||||||
|
|
||||||
WARNING: Param line (export OLDPWD) ignored at
|
|
||||||
/usr/share/shorewall/Shorewall/Config.pm line
|
|
||||||
2993.
|
|
||||||
|
|
||||||
Corrected in Shorewall 4.4.18.1
|
|
||||||
|
|
||||||
3) The Shorewall Lite and Shorewall6 Lite installers fail to install
|
|
||||||
the 'helpers' modules file, with the result that both
|
|
||||||
'shorewall[6]-lite show capabilities' and 'shorecap' fail.
|
|
||||||
|
|
||||||
Workaround: Copy the 'helpers' file from the Administrative System
|
|
||||||
to the firewall system.
|
|
||||||
|
|
||||||
Corrected in Shorewall 4.4.18.1
|
|
||||||
|
|
||||||
4) If an icmp or icmp6 type/code is specified in the tcfilters file, a
|
|
||||||
run-time error occurs.
|
|
||||||
|
|
||||||
Corrected in Shorewall 4.4.18.1
|
|
||||||
|
@ -687,8 +687,17 @@ show_command() {
|
|||||||
;;
|
;;
|
||||||
config)
|
config)
|
||||||
. ${SHAREDIR}/configpath
|
. ${SHAREDIR}/configpath
|
||||||
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
if [ -n "$g_filemode" ]; then
|
||||||
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
echo "CONFIG_PATH=$CONFIG_PATH"
|
||||||
|
echo "VARDIR=$VARDIR"
|
||||||
|
echo "LIBEXEC=$g_libexec"
|
||||||
|
[ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR"
|
||||||
|
else
|
||||||
|
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
||||||
|
echo "Default VARDIR is $VARDIR"
|
||||||
|
echo "LIBEXEC is $g_libexec"
|
||||||
|
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
chain)
|
chain)
|
||||||
shift
|
shift
|
||||||
|
@ -1,5 +1,6 @@
|
|||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
S H O R E W A L L 4 . 4 . 1 8 . 1
|
S H O R E W A L L 4 . 4 . 1 9
|
||||||
|
B E T A 4
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
I. PROBLEMS CORRECTED IN THIS RELEASE
|
I. PROBLEMS CORRECTED IN THIS RELEASE
|
||||||
@ -13,78 +14,41 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|||||||
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
4.4.18.1
|
RC 1
|
||||||
|
|
||||||
1) An issue with params processing on RHEL6 has been corrected. The
|
1) Correct a problem introduced in Beta 4 whereby incorrect Netfilter
|
||||||
|
rules were generated when a bridge with ports was given a logical
|
||||||
|
name.
|
||||||
|
|
||||||
|
Beta 4
|
||||||
|
|
||||||
|
1) If a bridge interface had subordinate ports defined in
|
||||||
|
/etc/shorewall/interface, then an ipsec entry (either ipsec zone or
|
||||||
|
the 'ipsec' option specified) in /etc/shorewall/hosts resulted in
|
||||||
|
the compiler generating an incorrect Netfilter configuration.
|
||||||
|
|
||||||
|
Beta 3
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
Beta 2
|
||||||
|
|
||||||
|
1) A correction to the Beta 1 fix for params processing has been
|
||||||
|
included.
|
||||||
|
|
||||||
|
2) Editing of ICMP type lists has been improved.
|
||||||
|
|
||||||
|
Beta 1
|
||||||
|
|
||||||
|
1) Previously /var/log/shorewall*-init.log was created in the wrong
|
||||||
|
Selinux context. The rpm's have been modified to correct that
|
||||||
|
issue.
|
||||||
|
|
||||||
|
2) An issue with params processing on RHEL6 has been corrected. The
|
||||||
problem manifested as the following type of warning:
|
problem manifested as the following type of warning:
|
||||||
|
|
||||||
WARNING: Param line (export OLDPWD) ignored at
|
WARNING: Param line (export OLDPWD) ignored at
|
||||||
/usr/share/shorewall/Shorewall/Config.pm line
|
/usr/share/shorewall/Shorewall/Config.pm line 2993.
|
||||||
2993.
|
|
||||||
|
|
||||||
2) The editing of the value of the TC_PRIOMAP option has been
|
|
||||||
tightened. Previously, many invalid settings were allowed,
|
|
||||||
resulting in run-time tc command failures.
|
|
||||||
|
|
||||||
3) The Shorewall Lite and Shorewall6 Lite installers now install the
|
|
||||||
'helpers' modules file. Previously, this file was not installed
|
|
||||||
with the result that both 'shorewall[6]-lite show capabilities' and
|
|
||||||
'shorecap' failed.
|
|
||||||
|
|
||||||
4) Previously, if an icmp or icmp6 type which included both a type and
|
|
||||||
a code was used in the tcfilters file, 'start' and 'restart' would
|
|
||||||
fail with a 'tc' error.
|
|
||||||
|
|
||||||
4.4.18 Final
|
|
||||||
|
|
||||||
1) Previously, if an IPv6 host address (no "/<vlsm>") was used in a
|
|
||||||
context where a network address is allowed, the compiler failed to
|
|
||||||
supply the default <vlsm> of 128. This could lead to startup errors
|
|
||||||
and/or Perl errors such as:
|
|
||||||
|
|
||||||
Use of uninitialized value $mask in concatenation (.) or
|
|
||||||
string at /usr/share/shorewall/Shorewall/Tc.pm line 979,
|
|
||||||
<$currentfile> line 11.
|
|
||||||
|
|
||||||
2) The <burst> option for the IN-BANDWIDTH column of tcdevices was
|
|
||||||
previously not recognized. That functionality has been restored.
|
|
||||||
|
|
||||||
3) If an interface mentioned in the tcfilters file was not up when
|
|
||||||
Shorewall was started or restarted, then the command would fail
|
|
||||||
at run-time with a 'tc' error message.
|
|
||||||
|
|
||||||
4.4.18 RC 1
|
|
||||||
|
|
||||||
1) None.
|
|
||||||
|
|
||||||
4.4.18 Beta 4
|
|
||||||
|
|
||||||
1) Edting of the MARK column has been tighened to catch errors at
|
|
||||||
compile time rather than at run time.
|
|
||||||
|
|
||||||
2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz"
|
|
||||||
to get the most common suffixes at the front of the list. It is
|
|
||||||
still recommended that you modify this setting to include only the
|
|
||||||
suffix(es) used on your system. Current distributions use 'ko'
|
|
||||||
almost exclusively.
|
|
||||||
|
|
||||||
4.4.18 Beta 2
|
|
||||||
|
|
||||||
1) Previously, the 'local' option in /etc/shorewall6/providers would
|
|
||||||
produce an 'ip route add' command containing an IPv4 address. It now
|
|
||||||
correctly uses the equivalent IPv6 address. Note that this option
|
|
||||||
is still undocumented for use with IPv6.
|
|
||||||
|
|
||||||
2) When optimize level 4 was set, the optimizer mis-handled rules of the
|
|
||||||
form:
|
|
||||||
|
|
||||||
-A <chain1> -j <chain2> -m comment ...
|
|
||||||
|
|
||||||
when such a rule was the only rule in a chain.
|
|
||||||
|
|
||||||
4.4.18 Beta 1
|
|
||||||
|
|
||||||
None.
|
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
I I. K N O W N P R O B L E M S R E M A I N I N G
|
I I. K N O W N P R O B L E M S R E M A I N I N G
|
||||||
@ -97,87 +61,62 @@ None.
|
|||||||
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
1) The modules files are now just a driver that INCLUDEs several new
|
1) When TC_ENABLED=Simple, ACK packets are now placed in the highest
|
||||||
files and one old file:
|
priority class. An ACK packet is a TCP packet with the ACK flag set
|
||||||
|
and no data payload.
|
||||||
|
|
||||||
- /usr/share/shorewall[6]/modules.essential # Essential modules
|
Rationale: Entries in /etc/shorewall[6]/tcpri affect both incoming
|
||||||
- /usr/share/shorewall[6]/modules.xtables # xt_ modules
|
and outgoing connections. If a particular application, SMTP for
|
||||||
- /usr/share/shorewall[6]/helpers # Existing file
|
example, is placed in priority class 3, then outgoing ACK packets
|
||||||
- /usr/share/shorewall/ipset # ipset modules
|
for incoming email were previously placed in priority class 3 as
|
||||||
- /usr/share/shorewall[6]/modules.tc # Traffic Shaping
|
well. This could have the effect of slowing down incoming mail when
|
||||||
- /usr/share/shorewall[6]/modules.extensions # Other extensions
|
the goal was to give outgoing mail a lower priority. By
|
||||||
|
unconditionally placing ACK packets in priority class 1, this issue
|
||||||
|
is avoided.
|
||||||
|
|
||||||
This should make it easier to configure your own
|
2) Up to this point, the Perl-based rules compiler has not accepted
|
||||||
/etc/shorewall[6]/modules file that won't be obsolete when you
|
ICMP type lists. This is in contrast to the shell-based compiler
|
||||||
upgrade your Shorewall/Shorewall6 installation.
|
which did support such lists.
|
||||||
|
|
||||||
For example, if you don't use traffic shaping or ipsets, you can
|
Support for ICMP (and ICMPv6) type lists has now been restored.
|
||||||
remove those from your copy of the modules file (copy in
|
|
||||||
/etc/shorewall/).
|
|
||||||
|
|
||||||
2) Traditionally, the root of the Shorewall accounting rules has been
|
3) Distributions have different philosophies about the proper file
|
||||||
the 'accounting' chain. Having a single root chain has drawbacks:
|
hierarchy. Two issures are particularly contentious:
|
||||||
|
|
||||||
- Many rules are traversed needlessly (they could not possibly
|
- Executable files in /usr/share/shorewall*. These include;
|
||||||
match traffic).
|
|
||||||
- At any time, the Netfilter team could begin generating errors
|
|
||||||
when loading those same rules.
|
|
||||||
- MAC addresses may not be used in the accounting rules.
|
|
||||||
- The 'accounting' chain cannot be optimized when
|
|
||||||
OPTIMIZE_ACCOUNTING=Yes.
|
|
||||||
|
|
||||||
In addition, currently the rules may be defined in any order so the
|
getparams
|
||||||
rules compiler must post-process the ruleset to alert the user to
|
compiler.pl
|
||||||
unreferenced chains.
|
wait4ifup
|
||||||
|
shorecap
|
||||||
|
ifupdown
|
||||||
|
|
||||||
Beginning with Shorewall 4.4.18, the accounting structure can be
|
- Perl Modules in /usr/share/shorewall/Shorewall.
|
||||||
created with three root chains:
|
|
||||||
|
|
||||||
- accountin: Rules that are valid in the INPUT chain (may not
|
To allow distributions to designate alternate locations for these
|
||||||
specify an output interface).
|
files, the installers (install.sh) now support the following
|
||||||
- accountout: Rules that are valid in the OUTPUT chain (may not
|
environmental variables:
|
||||||
specify an input interface or a MAC address).
|
|
||||||
- accountfwd: Other rules.
|
|
||||||
|
|
||||||
The new structure is enabled by sectioning the accounting file in a
|
LIBEXEC -- determines where in /usr getparams, compiler.pl,
|
||||||
manner similar to the rules file.
|
wait4ifup, shorecap and ifupdown are installed. Shorewall and
|
||||||
|
Shorewall6 must be installed with the same value of LIBEXEC. The
|
||||||
|
listed executables are installed in /usr/${LIBEXEC}/shorewall*. The
|
||||||
|
default value of LIBEXEC is 'share'. LIBEXEC is recognized by all
|
||||||
|
installers and uninstallers.
|
||||||
|
|
||||||
The sections are INPUT, OUTPUT and FORWARD and must appear in that
|
PERLLIB -- determines where in /usr the Shorewall perl modules are
|
||||||
order (although any of them may be omitted). The first
|
installed. Shorewall and Shorewall6 must be installed with the same
|
||||||
non-commentary record in the accounting file must be a section
|
value of PERLLIB. The modules are installed in
|
||||||
header when sectioning is used.
|
/usr/${PERLLIB}/Shorewall. The default value of PERLLIB is
|
||||||
|
'share/shorewall'. PERLLIB is only recognized by the Shorewall and
|
||||||
|
Shorewall6 installers and the same value must be passed to both
|
||||||
|
installers.
|
||||||
|
|
||||||
When sections are enabled:
|
4) Bridge/ports handling has been significantly improved, resulting in
|
||||||
|
packets to/from bridges traversing fewer rules.
|
||||||
|
|
||||||
- You must jump to a user-defined accounting chain before you can
|
5) A list of protocols is now permitted in the PROTO column of the
|
||||||
add rules to that chain. This eliminates the possibility of
|
rules file.
|
||||||
unreferenced chains.
|
|
||||||
- You may not specify an output interface in the INPUT section.
|
|
||||||
- In the OUTPUT section:
|
|
||||||
- You may not specify an input interface
|
|
||||||
- You may not jump to a chain defined in the INPUT section that
|
|
||||||
specifies an input interface
|
|
||||||
- You may not specify a MAC address
|
|
||||||
- You may not jump to a chain defined in the INPUT section that
|
|
||||||
specifies specifies a MAC address.
|
|
||||||
- The default value of the CHAIN column is:
|
|
||||||
- 'accountin' in the INPUT section
|
|
||||||
- 'accountout' in the OUTPUT section
|
|
||||||
- 'accountfwd' in the FORWARD section
|
|
||||||
- Traffic addressed to the firewall goes through the rules defined
|
|
||||||
in the INPUT section.
|
|
||||||
- Traffic originating on the firewall goes through the rules
|
|
||||||
defined in the OUTPUT section.
|
|
||||||
- Traffic being forwarded through the firewall goes through the
|
|
||||||
rules defined in the FORWARD section.
|
|
||||||
|
|
||||||
As part of this change, the USER/GROUP column must now be empty
|
|
||||||
except in the OUTPUT section. This is consistent with recent
|
|
||||||
Netfilter releases which disallow the owner match in rules
|
|
||||||
reachable from the INPUT and FORWARD hooks.
|
|
||||||
|
|
||||||
3) Internals Change: The Policy.pm module has been merged into the
|
|
||||||
Rules.pm module.
|
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||||
@ -408,6 +347,147 @@ None.
|
|||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||||
I N P R I O R R E L E A S E S
|
I N P R I O R R E L E A S E S
|
||||||
|
----------------------------------------------------------------------------
|
||||||
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 8
|
||||||
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
4.4.18 Final
|
||||||
|
|
||||||
|
1) Previously, if an IPv6 host address (no "/<vlsm>") was used in a
|
||||||
|
context where a network address is allowed, the compiler failed to
|
||||||
|
supply the default <vlsm> of 128. This could lead to startup errors
|
||||||
|
and/or Perl errors such as:
|
||||||
|
|
||||||
|
Use of uninitialized value $mask in concatenation (.) or
|
||||||
|
string at /usr/share/shorewall/Shorewall/Tc.pm line 979,
|
||||||
|
<$currentfile> line 11.
|
||||||
|
|
||||||
|
2) The <burst> option for the IN-BANDWIDTH column of tcdevices was
|
||||||
|
previously not recognized. That functionality has been restored.
|
||||||
|
|
||||||
|
3) If an interface mentioned in the tcfilters file was not up when
|
||||||
|
Shorewall was started or restarted, then the command would fail
|
||||||
|
at run-time with a 'tc' error message.
|
||||||
|
|
||||||
|
4.4.18 RC 1
|
||||||
|
|
||||||
|
1) None.
|
||||||
|
|
||||||
|
4.4.18 Beta 4
|
||||||
|
|
||||||
|
1) Edting of the MARK column has been tighened to catch errors at
|
||||||
|
compile time rather than at run time.
|
||||||
|
|
||||||
|
2) The MODULE_SUFFIX default has been changed to "ko ko.gz o o.gz gz"
|
||||||
|
to get the most common suffixes at the front of the list. It is
|
||||||
|
still recommended that you modify this setting to include only the
|
||||||
|
suffix(es) used on your system. Current distributions use 'ko'
|
||||||
|
almost exclusively.
|
||||||
|
|
||||||
|
4.4.18 Beta 2
|
||||||
|
|
||||||
|
1) Previously, the 'local' option in /etc/shorewall6/providers would
|
||||||
|
produce an 'ip route add' command containing an IPv4 address. It now
|
||||||
|
correctly uses the equivalent IPv6 address. Note that this option
|
||||||
|
is still undocumented for use with IPv6.
|
||||||
|
|
||||||
|
2) When optimize level 4 was set, the optimizer mis-handled rules of the
|
||||||
|
form:
|
||||||
|
|
||||||
|
-A <chain1> -j <chain2> -m comment ...
|
||||||
|
|
||||||
|
when such a rule was the only rule in a chain.
|
||||||
|
|
||||||
|
4.4.18 Beta 1
|
||||||
|
|
||||||
|
None.
|
||||||
|
|
||||||
|
----------------------------------------------------------------------------
|
||||||
|
N E W F E A T U R E S I N 4 . 4 . 1 8
|
||||||
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
1) The modules files are now just a driver that INCLUDEs several new
|
||||||
|
files and one old file:
|
||||||
|
|
||||||
|
- /usr/share/shorewall[6]/modules.essential # Essential modules
|
||||||
|
- /usr/share/shorewall[6]/modules.xtables # xt_ modules
|
||||||
|
- /usr/share/shorewall[6]/helpers # Existing file
|
||||||
|
- /usr/share/shorewall/ipset # ipset modules
|
||||||
|
- /usr/share/shorewall[6]/modules.tc # Traffic Shaping
|
||||||
|
- /usr/share/shorewall[6]/modules.extensions # Other extensions
|
||||||
|
|
||||||
|
This should make it easier to configure your own
|
||||||
|
/etc/shorewall[6]/modules file that won't be obsolete when you
|
||||||
|
upgrade your Shorewall/Shorewall6 installation.
|
||||||
|
|
||||||
|
For example, if you don't use traffic shaping or ipsets, you can
|
||||||
|
remove those from your copy of the modules file (copy in
|
||||||
|
/etc/shorewall/).
|
||||||
|
|
||||||
|
2) Traditionally, the root of the Shorewall accounting rules has been
|
||||||
|
the 'accounting' chain. Having a single root chain has drawbacks:
|
||||||
|
|
||||||
|
- Many rules are traversed needlessly (they could not possibly
|
||||||
|
match traffic).
|
||||||
|
- At any time, the Netfilter team could begin generating errors
|
||||||
|
when loading those same rules.
|
||||||
|
- MAC addresses may not be used in the accounting rules.
|
||||||
|
- The 'accounting' chain cannot be optimized when
|
||||||
|
OPTIMIZE_ACCOUNTING=Yes.
|
||||||
|
|
||||||
|
In addition, currently the rules may be defined in any order so the
|
||||||
|
rules compiler must post-process the ruleset to alert the user to
|
||||||
|
unreferenced chains.
|
||||||
|
|
||||||
|
Beginning with Shorewall 4.4.18, the accounting structure can be
|
||||||
|
created with three root chains:
|
||||||
|
|
||||||
|
- accountin: Rules that are valid in the INPUT chain (may not
|
||||||
|
specify an output interface).
|
||||||
|
- accountout: Rules that are valid in the OUTPUT chain (may not
|
||||||
|
specify an input interface or a MAC address).
|
||||||
|
- accountfwd: Other rules.
|
||||||
|
|
||||||
|
The new structure is enabled by sectioning the accounting file in a
|
||||||
|
manner similar to the rules file.
|
||||||
|
|
||||||
|
The sections are INPUT, OUTPUT and FORWARD and must appear in that
|
||||||
|
order (although any of them may be omitted). The first
|
||||||
|
non-commentary record in the accounting file must be a section
|
||||||
|
header when sectioning is used.
|
||||||
|
|
||||||
|
When sections are enabled:
|
||||||
|
|
||||||
|
- You must jump to a user-defined accounting chain before you can
|
||||||
|
add rules to that chain. This eliminates the possibility of
|
||||||
|
unreferenced chains.
|
||||||
|
- You may not specify an output interface in the INPUT section.
|
||||||
|
- In the OUTPUT section:
|
||||||
|
- You may not specify an input interface
|
||||||
|
- You may not jump to a chain defined in the INPUT section that
|
||||||
|
specifies an input interface
|
||||||
|
- You may not specify a MAC address
|
||||||
|
- You may not jump to a chain defined in the INPUT section that
|
||||||
|
specifies specifies a MAC address.
|
||||||
|
- The default value of the CHAIN column is:
|
||||||
|
- 'accountin' in the INPUT section
|
||||||
|
- 'accountout' in the OUTPUT section
|
||||||
|
- 'accountfwd' in the FORWARD section
|
||||||
|
- Traffic addressed to the firewall goes through the rules defined
|
||||||
|
in the INPUT section.
|
||||||
|
- Traffic originating on the firewall goes through the rules
|
||||||
|
defined in the OUTPUT section.
|
||||||
|
- Traffic being forwarded through the firewall goes through the
|
||||||
|
rules defined in the FORWARD section.
|
||||||
|
|
||||||
|
As part of this change, the USER/GROUP column must now be empty
|
||||||
|
except in the OUTPUT section. This is consistent with recent
|
||||||
|
Netfilter releases which disallow the owner match in rules
|
||||||
|
reachable from the INPUT and FORWARD hooks.
|
||||||
|
|
||||||
|
3) Internals Change: The Policy.pm module has been merged into the
|
||||||
|
Rules.pm module.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 7
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 7
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
@ -3103,7 +3183,7 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
|||||||
hence will now start successfully when running on that kernel.
|
hence will now start successfully when running on that kernel.
|
||||||
|
|
||||||
14) Three new options (IP, TC and IPSET) have been added to
|
14) Three new options (IP, TC and IPSET) have been added to
|
||||||
shorewall.conf and shorwall6.conf. These options specify the name
|
shorewall.conf and shorewall6.conf. These options specify the name
|
||||||
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
of the executable for the 'ip', 'tc' and 'ipset' utilities
|
||||||
respectively.
|
respectively.
|
||||||
|
|
||||||
|
@ -363,7 +363,11 @@ compiler() {
|
|||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
|
if [ $g_perllib = share/shorewall ]; then
|
||||||
|
$PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
|
||||||
|
else
|
||||||
|
PERL5LIB=$g_perllib $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1135,6 +1139,8 @@ reload_command() # $* = original arguments less the command.
|
|||||||
getcaps=
|
getcaps=
|
||||||
local root
|
local root
|
||||||
root=root
|
root=root
|
||||||
|
local libexec
|
||||||
|
libexec=share
|
||||||
|
|
||||||
litedir=/var/lib/shorewall-lite
|
litedir=/var/lib/shorewall-lite
|
||||||
|
|
||||||
@ -1195,6 +1201,10 @@ reload_command() # $* = original arguments less the command.
|
|||||||
|
|
||||||
[ -n "$temp" ] && litedir="$temp"
|
[ -n "$temp" ] && litedir="$temp"
|
||||||
|
|
||||||
|
temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
|
||||||
|
|
||||||
|
[ -n "$temp" ] && libexec="$temp"
|
||||||
|
|
||||||
if [ -z "$getcaps" ]; then
|
if [ -z "$getcaps" ]; then
|
||||||
SHOREWALL_DIR=$(resolve_file $directory)
|
SHOREWALL_DIR=$(resolve_file $directory)
|
||||||
ensure_config_path
|
ensure_config_path
|
||||||
@ -1211,7 +1221,7 @@ reload_command() # $* = original arguments less the command.
|
|||||||
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
|
[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
|
||||||
|
|
||||||
progress_message "Getting Capabilities on system $system..."
|
progress_message "Getting Capabilities on system $system..."
|
||||||
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
|
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/$libexec/shorewall-lite/shorecap" > $directory/capabilities; then
|
||||||
fatal_error "ERROR: Capturing capabilities on system $system failed"
|
fatal_error "ERROR: Capturing capabilities on system $system failed"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -1574,6 +1584,8 @@ CONFDIR=/etc/shorewall
|
|||||||
g_product="Shorewall"
|
g_product="Shorewall"
|
||||||
g_recovering=
|
g_recovering=
|
||||||
g_timestamp=
|
g_timestamp=
|
||||||
|
g_libexec=share
|
||||||
|
g_perllib=share/shorewall
|
||||||
|
|
||||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 4.4.18
|
%define version 4.4.19
|
||||||
%define release 1
|
%define release 0Beta4
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -109,10 +109,12 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta4
|
||||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta3
|
||||||
|
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.19-0Beta1
|
||||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-0base
|
- Updated to 4.4.18-0base
|
||||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -72,6 +72,9 @@ else
|
|||||||
VERSION=""
|
VERSION=""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
|
[ -n "${PERLLIB:=share/shorewall}" ]
|
||||||
|
|
||||||
echo "Uninstalling shorewall $VERSION"
|
echo "Uninstalling shorewall $VERSION"
|
||||||
|
|
||||||
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
|
if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
|
||||||
@ -106,6 +109,8 @@ rm -rf /etc/shorewall
|
|||||||
rm -rf /etc/shorewall-*.bkout
|
rm -rf /etc/shorewall-*.bkout
|
||||||
rm -rf /var/lib/shorewall
|
rm -rf /var/lib/shorewall
|
||||||
rm -rf /var/lib/shorewall-*.bkout
|
rm -rf /var/lib/shorewall-*.bkout
|
||||||
|
rm -rf /usr/$PERLLIB}/Shorewall/*
|
||||||
|
rm -rf /usr/${LIBEXEC}/shorewall
|
||||||
rm -rf /usr/share/shorewall
|
rm -rf /usr/share/shorewall
|
||||||
rm -rf /usr/share/shorewall-*.bkout
|
rm -rf /usr/share/shorewall-*.bkout
|
||||||
rm -rf /usr/share/man/man5/shorewall*
|
rm -rf /usr/share/man/man5/shorewall*
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -123,6 +123,7 @@ done
|
|||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
#
|
#
|
||||||
# Determine where to install the firewall script
|
# Determine where to install the firewall script
|
||||||
#
|
#
|
||||||
@ -187,6 +188,7 @@ else
|
|||||||
rm -rf ${DESTDIR}/etc/shorewall6-lite
|
rm -rf ${DESTDIR}/etc/shorewall6-lite
|
||||||
rm -rf ${DESTDIR}/usr/share/shorewall6-lite
|
rm -rf ${DESTDIR}/usr/share/shorewall6-lite
|
||||||
rm -rf ${DESTDIR}/var/lib/shorewall6-lite
|
rm -rf ${DESTDIR}/var/lib/shorewall6-lite
|
||||||
|
[ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall6-lite/wait4ifup /usr/share/shorewall6-lite/shorecap
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -202,6 +204,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
|
|||||||
|
|
||||||
install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
|
install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
|
||||||
|
|
||||||
|
eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6-lite
|
||||||
|
|
||||||
echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
|
echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -223,6 +227,7 @@ echo "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
|
|||||||
#
|
#
|
||||||
mkdir -p ${DESTDIR}/etc/shorewall6-lite
|
mkdir -p ${DESTDIR}/etc/shorewall6-lite
|
||||||
mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
|
mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
|
||||||
|
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite
|
||||||
mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
|
mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
|
||||||
|
|
||||||
chmod 755 ${DESTDIR}/etc/shorewall6-lite
|
chmod 755 ${DESTDIR}/etc/shorewall6-lite
|
||||||
@ -275,20 +280,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/funct
|
|||||||
# Install Shorecap
|
# Install Shorecap
|
||||||
#
|
#
|
||||||
|
|
||||||
install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
|
install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
|
echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Install wait4ifup
|
# Install wait4ifup
|
||||||
#
|
#
|
||||||
|
|
||||||
if [ -f wait4ifup ]; then
|
if [ -f wait4ifup ]; then
|
||||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
|
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
|
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -554,6 +554,7 @@ MUTEX_TIMEOUT=
|
|||||||
SHAREDIR=/usr/share/shorewall6-lite
|
SHAREDIR=/usr/share/shorewall6-lite
|
||||||
CONFDIR=/etc/shorewall6-lite
|
CONFDIR=/etc/shorewall6-lite
|
||||||
g_product="Shorewall6 Lite"
|
g_product="Shorewall6 Lite"
|
||||||
|
g_libexec=share
|
||||||
|
|
||||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall6-lite
|
%define name shorewall6-lite
|
||||||
%define version 4.4.18
|
%define version 4.4.19
|
||||||
%define release 1
|
%define release 0Beta4
|
||||||
|
|
||||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -94,10 +94,12 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta4
|
||||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta3
|
||||||
|
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.19-0Beta1
|
||||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-0base
|
- Updated to 4.4.18-0base
|
||||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -60,6 +60,8 @@ else
|
|||||||
VERSION=""
|
VERSION=""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
|
|
||||||
echo "Uninstalling Shorewall Lite $VERSION"
|
echo "Uninstalling Shorewall Lite $VERSION"
|
||||||
|
|
||||||
if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
|
if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
|
||||||
@ -95,6 +97,7 @@ rm -rf /etc/shorewall6-lite-*.bkout
|
|||||||
rm -rf /var/lib/shorewall6-lite
|
rm -rf /var/lib/shorewall6-lite
|
||||||
rm -rf /var/lib/shorewall6-lite-*.bkout
|
rm -rf /var/lib/shorewall6-lite-*.bkout
|
||||||
rm -rf /usr/share/shorewall6-lite
|
rm -rf /usr/share/shorewall6-lite
|
||||||
|
rm -rf /usr/${LIBEXEC}/shorewall6-lite
|
||||||
rm -rf /usr/share/shorewall6-lite-*.bkout
|
rm -rf /usr/share/shorewall6-lite-*.bkout
|
||||||
rm -f /etc/logrotate.d/shorewall6-lite
|
rm -f /etc/logrotate.d/shorewall6-lite
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -110,6 +110,8 @@ MAC=
|
|||||||
MANDIR=${MANDIR:-"/usr/share/man"}
|
MANDIR=${MANDIR:-"/usr/share/man"}
|
||||||
SPARSE=
|
SPARSE=
|
||||||
INSTALLD='-D'
|
INSTALLD='-D'
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
|
[ -n "${PERLLIB:=share/shoreall}" ]
|
||||||
|
|
||||||
case $(uname) in
|
case $(uname) in
|
||||||
CYGWIN*)
|
CYGWIN*)
|
||||||
@ -226,9 +228,13 @@ fi
|
|||||||
|
|
||||||
if [ -z "$CYGWIN" ]; then
|
if [ -z "$CYGWIN" ]; then
|
||||||
install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
|
install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
|
||||||
|
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6
|
||||||
|
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall6
|
||||||
echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
|
echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
|
||||||
else
|
else
|
||||||
install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
|
install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
|
||||||
|
eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall6
|
||||||
|
eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall6
|
||||||
echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
|
echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -252,7 +258,8 @@ fi
|
|||||||
# Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed
|
# Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed
|
||||||
#
|
#
|
||||||
mkdir -p ${DESTDIR}/etc/shorewall6
|
mkdir -p ${DESTDIR}/etc/shorewall6
|
||||||
mkdir -p ${DESTDIR}/usr/share/shorewall6
|
mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6
|
||||||
|
mkdir -p ${DESTDIR}/usr/${PERLLIB}/
|
||||||
mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
|
mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
|
||||||
mkdir -p ${DESTDIR}/var/lib/shorewall6
|
mkdir -p ${DESTDIR}/var/lib/shorewall6
|
||||||
|
|
||||||
@ -318,10 +325,10 @@ delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
|
|||||||
# Install wait4ifup
|
# Install wait4ifup
|
||||||
#
|
#
|
||||||
|
|
||||||
install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755
|
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup 0755
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup"
|
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6/wait4ifup"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Install the policy file
|
# Install the policy file
|
||||||
|
@ -38,7 +38,6 @@ SHOREWALL_CAPVERSION=40417
|
|||||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||||
[ -n "${CONFDIR:=/etc/shorewall6}" ]
|
[ -n "${CONFDIR:=/etc/shorewall6}" ]
|
||||||
[ -n "${PERLSHAREDIR:=/usr/share/shorewall}" ]
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Conditionally produce message
|
# Conditionally produce message
|
||||||
|
@ -591,8 +591,17 @@ show_command() {
|
|||||||
;;
|
;;
|
||||||
config)
|
config)
|
||||||
. ${SHAREDIR}/configpath
|
. ${SHAREDIR}/configpath
|
||||||
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
if [ -n "$g_filemode" ]; then
|
||||||
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
echo "CONFIG_PATH=$CONFIG_PATH"
|
||||||
|
echo "VARDIR=$VARDIR"
|
||||||
|
echo "LIBEXEC=$g_libexec"
|
||||||
|
[ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR"
|
||||||
|
else
|
||||||
|
echo "Default CONFIG_PATH is $CONFIG_PATH"
|
||||||
|
echo "Default VARDIR is $VARDIR"
|
||||||
|
echo "LIBEXEC is $g_libexec"
|
||||||
|
[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
chain)
|
chain)
|
||||||
shift
|
shift
|
||||||
|
@ -239,7 +239,7 @@ startup_error() {
|
|||||||
# Run the appropriate compiler
|
# Run the appropriate compiler
|
||||||
#
|
#
|
||||||
compiler() {
|
compiler() {
|
||||||
pc=${PERLSHAREDIR}/compiler.pl
|
pc=/usr/$g_libexec/shorewall/compiler.pl
|
||||||
|
|
||||||
local command
|
local command
|
||||||
command=$1
|
command=$1
|
||||||
@ -300,7 +300,11 @@ compiler() {
|
|||||||
PERL=/usr/bin/perl
|
PERL=/usr/bin/perl
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$command $PERL $debugflags $pc $options $@
|
if [ $g_perllib = share/shorewall ]; then
|
||||||
|
$command $PERL $debugflags $pc $options $@
|
||||||
|
else
|
||||||
|
$command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1068,6 +1072,8 @@ reload_command() # $* = original arguments less the command.
|
|||||||
root=root
|
root=root
|
||||||
local compiler
|
local compiler
|
||||||
compiler=
|
compiler=
|
||||||
|
local libexec
|
||||||
|
libexec=share
|
||||||
|
|
||||||
litedir=/var/lib/shorewall6-lite
|
litedir=/var/lib/shorewall6-lite
|
||||||
|
|
||||||
@ -1128,6 +1134,10 @@ reload_command() # $* = original arguments less the command.
|
|||||||
|
|
||||||
[ -n "$temp" ] && litedir=$temp
|
[ -n "$temp" ] && litedir=$temp
|
||||||
|
|
||||||
|
temp=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
|
||||||
|
|
||||||
|
[ -n "$temp" ] && libexec=$temp
|
||||||
|
|
||||||
if [ -z "$getcaps" ]; then
|
if [ -z "$getcaps" ]; then
|
||||||
SHOREWALL_DIR=$(resolve_file $directory)
|
SHOREWALL_DIR=$(resolve_file $directory)
|
||||||
ensure_config_path
|
ensure_config_path
|
||||||
@ -1142,7 +1152,7 @@ reload_command() # $* = original arguments less the command.
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
progress_message "Getting Capabilities on system $system..."
|
progress_message "Getting Capabilities on system $system..."
|
||||||
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/share/shorewall6-lite/shorecap" > $directory/capabilities; then
|
if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES /usr/$libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
|
||||||
fatal_error "ERROR: Capturing capabilities on system $system failed"
|
fatal_error "ERROR: Capturing capabilities on system $system failed"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -1484,6 +1494,8 @@ SHAREDIR=/usr/share/shorewall6
|
|||||||
CONFDIR=/etc/shorewall6
|
CONFDIR=/etc/shorewall6
|
||||||
g_product="Shorewall6"
|
g_product="Shorewall6"
|
||||||
g_recovering=
|
g_recovering=
|
||||||
|
g_libexec=share
|
||||||
|
g_perllib=share/shorewall
|
||||||
|
|
||||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall6
|
%define name shorewall6
|
||||||
%define version 4.4.18
|
%define version 4.4.19
|
||||||
%define release 1
|
%define release 0Beta4
|
||||||
|
|
||||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -98,10 +98,12 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sat Mar 19 2011 Tom Eastep tom@shorewall.net
|
* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta4
|
||||||
* Sun Mar 13 2011 Tom Eastep tom@shorewall.net
|
* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-1
|
- Updated to 4.4.19-0Beta3
|
||||||
|
* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.19-0Beta1
|
||||||
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.18-0base
|
- Updated to 4.4.18-0base
|
||||||
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.18.1
|
VERSION=4.4.19-Beta4
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
@ -72,6 +72,8 @@ else
|
|||||||
VERSION=""
|
VERSION=""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -n "${LIBEXEC:=share}" ]
|
||||||
|
|
||||||
echo "Uninstalling shorewall6 $VERSION"
|
echo "Uninstalling shorewall6 $VERSION"
|
||||||
|
|
||||||
if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
|
if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
|
||||||
@ -106,6 +108,7 @@ rm -rf /etc/shorewall6
|
|||||||
rm -rf /etc/shorewall6-*.bkout
|
rm -rf /etc/shorewall6-*.bkout
|
||||||
rm -rf /var/lib/shorewall6
|
rm -rf /var/lib/shorewall6
|
||||||
rm -rf /var/lib/shorewall6-*.bkout
|
rm -rf /var/lib/shorewall6-*.bkout
|
||||||
|
rm -rf /usr/${LIBEXEC}/shorewall6
|
||||||
rm -rf /usr/share/shorewall6
|
rm -rf /usr/share/shorewall6
|
||||||
rm -rf /usr/share/shorewall6-*.bkout
|
rm -rf /usr/share/shorewall6-*.bkout
|
||||||
rm -rf /usr/share/man/man5/shorewall6*
|
rm -rf /usr/share/man/man5/shorewall6*
|
||||||
|
@ -173,6 +173,80 @@
|
|||||||
instructions</ulink>.</para>
|
instructions</ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Executables in /usr and Perl Modules</title>
|
||||||
|
|
||||||
|
<para>Distributions have different philosophies about the proper file
|
||||||
|
hierarchy. Two issures are particularly contentious:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Executable files in
|
||||||
|
<filename>/usr/share/shorewall*</filename>. These include;</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>getparams</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>compiler.pl</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>wait4ifup</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>shorecap</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>ifupdown</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Perl Modules in
|
||||||
|
<filename>/usr/share/shorewall/Shorewall</filename>.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>To allow distributions to designate alternate locations for these
|
||||||
|
files, the installers (install.sh) from 4.4.19 onward support the
|
||||||
|
following environmental variables:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>LIBEXEC</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Determines where in /usr getparams, compiler.pl, wait4ifup,
|
||||||
|
shorecap and ifupdown are installed. Shorewall and Shorewall6 must
|
||||||
|
be installed with the same value of LIBEXEC. The listed
|
||||||
|
executables are installed in
|
||||||
|
<filename>/usr/${LIBEXEC}/shorewall*</filename>. The default value
|
||||||
|
of LIBEXEC is 'share'. LIBEXEC is recognized by all installers and
|
||||||
|
uninstallers.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>PERLLIB</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para> Determines where in <filename>/usr </filename>the Shorewall
|
||||||
|
perl modules are installed. Shorewall and Shorewall6 must be
|
||||||
|
installed with the same value of PERLLIB. The modules are
|
||||||
|
installed in <filename>/usr/${PERLLIB}/Shorewall</filename>. The
|
||||||
|
default value of PERLLIB is 'share/shorewall'. PERLLIB is only
|
||||||
|
recognized by the Shorewall and Shorewall6 installers.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Debian">
|
<section id="Debian">
|
||||||
|
@ -647,14 +647,35 @@ eth0 <emphasis role="bold">172.20.1.0/24</emphasis></programl
|
|||||||
<para>Before:</para>
|
<para>Before:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||||
NONAT loc net tcp 80</programlisting>
|
NONAT loc net tcp 80</programlisting>
|
||||||
|
|
||||||
<para>After:</para>
|
<para>After:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||||
NONAT loc - tcp 80</programlisting>
|
NONAT loc - tcp 80</programlisting>
|
||||||
|
|
||||||
|
<para>Shorewall 4.4 versions prior to 4.4.19 do not support icmp type
|
||||||
|
lists in the DEST PORT(S) column. Only a single ICMP type may be listed.
|
||||||
|
If you have a shell variable with a list of ICMP types that you use in a
|
||||||
|
rule, you can work around this limitation as follows. Replace this
|
||||||
|
rule:</para>
|
||||||
|
|
||||||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
|
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||||
|
ACCEPT z1 z2 icmp $ITYPES</programlisting>
|
||||||
|
|
||||||
|
<para>with:</para>
|
||||||
|
|
||||||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
|
||||||
|
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||||
|
|
||||||
|
BEGIN SHELL
|
||||||
|
for type in $ITYPES; do
|
||||||
|
ACCEPT z1 z2 icmp $type
|
||||||
|
done
|
||||||
|
END SHELL</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="routestopped">
|
<section id="routestopped">
|
||||||
|
@ -790,6 +790,13 @@ gateway:/etc/shorewall # </programlisting></para>
|
|||||||
|
|
||||||
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
|
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
|
||||||
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
||||||
|
|
||||||
|
<para>If you are the sort to put such an entry in your rules file even
|
||||||
|
though /etc/shorewall/rules.d might not exist or might be empty, then
|
||||||
|
you probably want:</para>
|
||||||
|
|
||||||
|
<programlisting>SECTION NEW
|
||||||
|
SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting>
|
||||||
</example>
|
</example>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -1308,13 +1315,26 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Compliment">
|
<section id="Compliment">
|
||||||
<title>Complementing an Address or Subnet</title>
|
<title>Complementing an Address, Subnet, Protocol or Port List</title>
|
||||||
|
|
||||||
<para>Where specifying an IP address, a subnet or an interface, you can
|
<para>Where specifying an IP address, a subnet or an interface, you can
|
||||||
precede the item with <quote>!</quote> to specify the complement of the
|
precede the item with <quote>!</quote> to specify the complement of the
|
||||||
item. For example, !192.168.1.4 means <quote>any host but
|
item. For example, !192.168.1.4 means <quote>any host but
|
||||||
192.168.1.4</quote>. There must be no white space following the
|
192.168.1.4</quote>. There must be no white space following the
|
||||||
<quote>!</quote>.</para>
|
<quote>!</quote>.</para>
|
||||||
|
|
||||||
|
<para>Similarly, in columns that specify an IP protocol, you can preceed
|
||||||
|
the protocol name or number by "!". For example, !tcp means "any protocol
|
||||||
|
except tcp".</para>
|
||||||
|
|
||||||
|
<para>This also works with port lists, providing that the list contains 15
|
||||||
|
or fewer ports (where a <link linkend="Ranges">port range</link> counts as
|
||||||
|
two ports). For example !ssh,smtp means "any port except 22 and
|
||||||
|
25".</para>
|
||||||
|
|
||||||
|
<para>In Shorewall 4.4.19 and later, icmp type lists are supported but
|
||||||
|
complementing an icmp type list is <emphasis>not</emphasis> supported. You
|
||||||
|
may, however, complement a single icmp (icmp6) type.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Exclusion">
|
<section id="Exclusion">
|
||||||
@ -1454,6 +1474,9 @@ router-advertisement => 134
|
|||||||
neighbour-solicitation => 135
|
neighbour-solicitation => 135
|
||||||
neighbour-advertisement => 136
|
neighbour-advertisement => 136
|
||||||
redirect => 137</programlisting>
|
redirect => 137</programlisting>
|
||||||
|
|
||||||
|
<para>Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to
|
||||||
|
Shorewall 4.4.19.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Ranges">
|
<section id="Ranges">
|
||||||
|
@ -81,5 +81,11 @@
|
|||||||
|
|
||||||
<para>If you installed using an rpm, at a root shell prompt type
|
<para>If you installed using an rpm, at a root shell prompt type
|
||||||
<quote>rpm -e shorewall</quote>.</para>
|
<quote>rpm -e shorewall</quote>.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>If you specified LIBEXEC and/or PERLLIB when you installed
|
||||||
|
Shorewall, you must specify the same value to the uninstall script.
|
||||||
|
e.g., LIBEXEC=libexec ./uninstall.sh.</para>
|
||||||
|
</note>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
|
@ -821,6 +821,10 @@
|
|||||||
role="bold">tcp:syn</emphasis> implies <emphasis
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||||
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||||
RST,ACK and FIN flags must be reset.</para>
|
RST,ACK and FIN flags must be reset.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 4.4.19, this column can contain a
|
||||||
|
comma-separated list of protocol-numbers and/or protocol
|
||||||
|
names.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -837,7 +841,9 @@
|
|||||||
the destination icmp-type(s). ICMP types may be specified as a
|
the destination icmp-type(s). ICMP types may be specified as a
|
||||||
numeric type, a numberic type and code separated by a slash (e.g.,
|
numeric type, a numberic type and code separated by a slash (e.g.,
|
||||||
3/4), or a typename. See <ulink
|
3/4), or a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||||
|
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
|
||||||
|
listsed.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
|
@ -624,6 +624,10 @@
|
|||||||
role="bold">tcp:syn</emphasis> implies <emphasis
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||||
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||||
RST,ACK and FIN flags must be reset.</para>
|
RST,ACK and FIN flags must be reset.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall6 4.4.19, this column can contain a
|
||||||
|
comma-separated list of protocol-numbers and/or protocol names
|
||||||
|
(e.g., <emphasis role="bold">tcp,udp</emphasis>).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -640,7 +644,9 @@
|
|||||||
the destination icmp-type(s). ICMP types may be specified as a
|
the destination icmp-type(s). ICMP types may be specified as a
|
||||||
numeric type, a numberic type and code separated by a slash (e.g.,
|
numeric type, a numberic type and code separated by a slash (e.g.,
|
||||||
3/4), or a typename. See <ulink
|
3/4), or a typename. See <ulink
|
||||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||||
|
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
|
||||||
|
listsed.</para>
|
||||||
|
|
||||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||||
this column is interpreted as an ipp2p option without the leading
|
this column is interpreted as an ipp2p option without the leading
|
||||||
|
Loading…
Reference in New Issue
Block a user