holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch '4.4.19' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.19

Browse Source
This commit is contained in:
Tom Eastep 2011-04-30 21:55:40 -07:00
commit d60dfc7be0
24 changed files with 224 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-init/install.sh
View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

6
Shorewall-init/shorewall-init.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-init
%define version 4.4.19
%define release 0base
%define release 2
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@ -119,6 +119,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
* Sun Apr 03 2011 Tom Eastep tom@shorewall.net

2
Shorewall-init/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

2
Shorewall-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

6
Shorewall-lite/shorewall-lite.spec
View File

@ -1,6 +1,6 @@
%define name shorewall-lite
%define version 4.4.19
%define release 0base
%define release 2
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name}
@ -103,6 +103,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
* Sun Apr 03 2011 Tom Eastep tom@shorewall.net

2
Shorewall-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -411,7 +411,7 @@ sub initialize( $ ) {
EXPORT => 0,
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.19",
VERSION => "4.4.19.2",
CAPVERSION => 40417 ,
);
#

3
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1887,7 +1887,7 @@ EOF
emit 'delete_tc1' if $config{CLEAR_TC};
emit( 'undo_routing',
'restore_default_route'
"restore_default_route $config{USE_DEFAULT_RT}"
);
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
@ -1907,7 +1907,6 @@ EOF
process_routestopped;
add_rule $input, '-i lo -j ACCEPT';
add_rule $input, '-i lo -j ACCEPT';
add_rule $output, '-o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};

5
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -207,8 +207,9 @@ sub process_one_masq( )
} else {
my $ports = $addr;
$ports =~ s/^://;
$ports =~ s/:/-/;
validate_portpair( $proto, $ports );
my $portrange = $ports;
$portrange =~ s/-/:/;
validate_portpair( $proto, $portrange );
$addrlist .= "--to-ports $ports ";
$exceptionrule = do_proto( $proto, '', '' );
}

18
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -730,7 +730,7 @@ sub start_providers() {
emit ( '#',
'# Capture the default route(s) if we don\'t have it (them) already.',
'#',
'[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
"[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route",
'#',
'# Initialize the file that holds \'undo\' commands',
'#',
@ -758,13 +758,21 @@ sub finish_providers() {
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
emit ( " qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
if ( $config{USE_DEFAULT_RT} ) {
emit ( " while qt \$IP -$family route del default table " . MAIN_TABLE . '; do',
' true',
' done',
''
);
}
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
'else',
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
if ( $config{RESTORE_DEFAULT_ROUTE} ) {
emit ' restore_default_route && error_message "NOTICE: Default route restored"'
emit qq( restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
} else {
emit qq( qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
}
@ -775,7 +783,7 @@ sub finish_providers() {
emit ( '#',
'# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
'#',
'restore_default_route' ,
"restore_default_route $config{USE_DEFAULT_RT}" ,
'' );
}
@ -871,7 +879,7 @@ sub setup_providers() {
push_indent;
emit "\nundo_routing";
emit 'restore_default_route';
emit "restore_default_route $config{USE_DEFAULT_RT}";
if ( $config{NULL_ROUTE_RFC1918} ) {
emit ( '#',

73
Shorewall/Perl/prog.header
View File

@ -504,40 +504,57 @@ undo_routing() {
}
#
# Save the default route
#
save_default_route() {
awk \
'BEGIN {default=0;}; \
/^default / {default=1; print; next}; \
/nexthop/ {if (default == 1 ) {print ; next} }; \
{ default=0; };'
}
#
# Restore the default route that was in place before the initial 'shorewall start'
#
restore_default_route() {
replace_default_route() # $1 = USE_DEFAULT_RT
{
#
# default_route and result are inherited from the caller
#
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
#
[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
default_route=
;;
*)
qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
result=0
default_route=
;;
esac
fi
}
restore_default_route() # $1 = USE_DEFAULT_RT
{
local result
result=1
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route
result=1
while read route ; do
case $route in
default*)
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a route with a metric -- we only replace the one with metric == 0
#
qt $IP -4 route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted"
;;
*)
qt $IP -4 route replace $default_route && \
result=0 && \
progress_message "Default Route (${default_route# }) restored"
;;
esac
break
fi
replace_default_route $1
default_route="$default_route $route"
;;
*)
@ -546,6 +563,20 @@ restore_default_route() {
esac
done < ${VARDIR}/default_route
replace_default_route $1
if [ $result = 1 ]; then
#
# We didn't restore a default route with metric 0
#
if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
#
# But we added a default route with metric 0
#
qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
fi
fi
rm -f ${VARDIR}/default_route
fi

75
Shorewall/Perl/prog.header6
View File

@ -492,40 +492,57 @@ undo_routing() {
}
#
# Save the default route
#
save_default_route() {
awk \
'BEGIN {default=0;}; \
/^default / {default=1; print; next}; \
/nexthop/ {if (default == 1 ) {print ; next} }; \
{ default=0; };'
}
#
# Restore the default route that was in place before the initial 'shorewall start'
#
restore_default_route() {
replace_default_route() # $1 = USE_DEFAULT_RT
{
#
# default_route and result are inherited from the caller
#
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
#
[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
default_route=
;;
*)
qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
result=0
default_route=
;;
esac
fi
}
restore_default_route() # $1 = USE_DEFAULT_RT
{
local result
result=1
if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route
result=1
while read route ; do
case $route in
default)
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a route with a metric -- we only replace the one with metric == 0
#
qt $IP -6 route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted"
;;
*)
qt $IP -6 route replace $default_route && \
result=0 && \
progress_message "Default Route (${default_route# }) restored"
;;
esac
break
fi
default*)
replace_default_route $1
default_route="$default_route $route"
;;
*)
@ -534,6 +551,20 @@ restore_default_route() {
esac
done < ${VARDIR}/default_route
replace_default_route $1
if [ $result = 1 ]; then
#
# We didn't restore a default route with metric 0
#
if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
#
# But we added a default route with metric 0
#
qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
fi
fi
rm -f ${VARDIR}/default_route
fi

14
Shorewall/changelog.txt
View File

@ -1,3 +1,17 @@
Changes in Shorewall 4.4.19.2
None.
Changes in Shorewall 4.4.19.1
1) Eliminate silly duplicate rule when stopped.
2) Don't believe that all nexthop routes are default routes.
3) Restore :<low port>-<high port> in masq file.
4) Correct default route safe/restore.
Changes in Shorewall 4.4.19 Final
1) Update release documents.

6
Shorewall/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{
@ -331,7 +331,7 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
# Install wait4ifup
#
install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755
install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup 0755
echo
echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
@ -827,7 +827,7 @@ cd Perl
install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
echo
echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
echo "Compiler installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl"
#
# Install the params file helper
#

19
Shorewall/known_problems.txt
View File

@ -1,3 +1,22 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
Corrected in Shorewall 4.4.19.1
2) There is a harmless duplicate ACCEPT rule in the INPUT filter chain
when the firewall is stopped.
Corrected in Shorewall 4.4.19.1
3) Shorewall interprets all 'nexthop' routes as default routes when
analyzing the pre-start routing configuration. This can lead to
unwanted default routes when the firewall was started or stopped.
Corrected in Shorewall 4.4.19.1
3) A defect introduced in Shorewall 4.4.17 broke the ability to
specify ':<low port>-<high port>' in the ADDRESS column of
/etc/shorewall/masq.
Corrected in Shorewall 4.4.19.1

32
Shorewall/releasenotes.txt
View File

@ -1,5 +1,5 @@
----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 9
S H O R E W A L L 4 . 4 . 1 9 . 2
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@ -13,6 +13,36 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
4.4.19.2
None.
4.4.19.1
1) A duplicate ACCEPT rule in the INPUT chain has been eliminated when
the firewall is stopped.
2) A defect introduced in Shorewall 4.4.17 broke the ability to
specify ':<low port>-<high port>' in the ADDRESS column of
/etc/shorewall/masq.
3) Several long-standing defects having to do with default route
save/restore have been corrected in the Multi-ISP implementation.
a) Shorewall previously interpreted all 'nexthop' routes as
default routes when analyzing the pre-start routing
configuration. This could lead to unwanted default routes when
the firewall was started or stopped.
b) The default route with metric 0 was usually not restored
during 'stop' processing.
c) If there were multiple default routes in the main table prior
to 'shorewall start' and USE_DEFAULT_RT was set, only the
first one with metric 0 was deleted.
4.4.19
1) Corrected a problem in optimize level 4 that resulted in the
following compile-time failure.

6
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.19
%define release 0base
%define release 2
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@ -109,6 +109,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
* Sun Apr 03 2011 Tom Eastep tom@shorewall.net

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

2
Shorewall6-lite/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

6
Shorewall6-lite/shorewall6-lite.spec
View File

@ -1,6 +1,6 @@
%define name shorewall6-lite
%define version 4.4.19
%define release 0base
%define release 2
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -94,6 +94,10 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
* Sun Apr 03 2011 Tom Eastep tom@shorewall.net

2
Shorewall6-lite/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

2
Shorewall6/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{

6
Shorewall6/shorewall6.spec
View File

@ -1,6 +1,6 @@
%define name shorewall6
%define version 4.4.19
%define release 0base
%define release 2
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -98,6 +98,10 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-2
* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
* Sun Apr 03 2011 Tom Eastep tom@shorewall.net

2
Shorewall6/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.19
VERSION=4.4.19.2
usage() # $1 = exit status
{