Merge branch '4.4.19' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.19

2011-04-30 21:55:40 -07:00 · 2011-04-30 21:55:40 -07:00 · d60dfc7be0
commit d60dfc7be0
parent b039d9d0fe bcb1aede20
24 changed files with 224 additions and 71 deletions
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.19
-%define release 0base
+%define release 2
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@ -119,6 +119,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-0base
 * Sun Apr 03 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.19
-%define release 0base
+%define release 2
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -103,6 +103,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-0base
 * Sun Apr 03 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -411,7 +411,7 @@ sub initialize( $ ) {
 		    EXPORT     => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.19",
+		    VERSION    => "4.4.19.2",
 		    CAPVERSION => 40417 ,
 		  );
    #
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -1887,7 +1887,7 @@ EOF
    emit 'delete_tc1' if $config{CLEAR_TC};
    emit( 'undo_routing',
-	  'restore_default_route'
+	  "restore_default_route $config{USE_DEFAULT_RT}"
 	  );
    my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
@ -1907,7 +1907,6 @@ EOF
    process_routestopped;
    add_rule $input, '-i lo -j ACCEPT';
    add_rule $input, '-i lo -j ACCEPT';
    add_rule $output, '-o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -207,8 +207,9 @@ sub process_one_masq( )
 			} else {
 			    my $ports = $addr; 
 			    $ports =~ s/^://;
-			    $ports =~ s/:/-/;
+			    my $portrange = $ports;
-			    validate_portpair( $proto, $ports );
+			    $portrange =~ s/-/:/;
 			    validate_portpair( $proto, $portrange );
 			    $addrlist .= "--to-ports $ports ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -730,7 +730,7 @@ sub start_providers() {
    emit  ( '#',
 	    '# Capture the default route(s) if we don\'t have it (them) already.',
 	    '#',
-	    '[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
+	    "[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route",
 	    '#',
 	    '# Initialize the file that holds \'undo\' commands',
 	    '#',
@ -758,13 +758,21 @@ sub finish_providers() {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
-	emit  ( "    qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
+
 	if ( $config{USE_DEFAULT_RT} ) {
 	    emit  ( "    while qt \$IP -$family route del default table " . MAIN_TABLE . '; do',
 		    '        true',
 		    '    done',
 		    ''
 		  );
 	}
 	emit  ( "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
 		'else',
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit '    restore_default_route && error_message "NOTICE: Default route restored"'
+	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@ -775,7 +783,7 @@ sub finish_providers() {
 	emit ( '#',
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
-	       'restore_default_route' ,
+	       "restore_default_route $config{USE_DEFAULT_RT}" ,
 	       '' );
    }
@ -871,7 +879,7 @@ sub setup_providers() {
 	push_indent;
 	emit "\nundo_routing";
-	emit 'restore_default_route';
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
 	if ( $config{NULL_ROUTE_RFC1918} ) {
 	    emit  ( '#',
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@ -504,40 +504,57 @@ undo_routing() {
 }
 #
 # Save the default route
 #
 save_default_route() {
    awk \
    'BEGIN        {default=0;}; \
     /^default /  {default=1; print; next}; \
     /nexthop/    {if (default == 1 ) {print ; next} }; \
                  { default=0; };'
 }
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
-restore_default_route() {
+replace_default_route() # $1 = USE_DEFAULT_RT
 {
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
 	case "$default_route" in
 	    *metric*)
 	        #
 	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
 		;;
 	    *)
 		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		result=0
 		default_route=
 		;;
 	esac
    fi
 }
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
    result=1
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	result=1
 	while read route ; do
 	    case $route in
 		default*)
-		    if [ -n "$default_route" ]; then
+		    replace_default_route $1
 			case "$default_route" in
 			    *metric*)
 		                #
 		                # Don't restore a route with a metric -- we only replace the one with metric == 0
 		                #
 				qt $IP -4 route delete default metric 0 && \
 				    progress_message "Default Route with metric 0 deleted"
 				;;
 			    *)
 				qt $IP -4 route replace $default_route && \
 				    result=0 && \
 				    progress_message "Default Route (${default_route# }) restored"
 				;;
 			esac
 			break
 		    fi
 		    default_route="$default_route $route"
 		    ;;
 		*)
@ -546,6 +563,20 @@ restore_default_route() {
 	    esac
 	done < ${VARDIR}/default_route
 	replace_default_route $1
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
 	    #
 	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
 	       #
 	       # But we added a default route with metric 0
 	       #
 	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
 	    fi
 	fi
 	rm -f ${VARDIR}/default_route
    fi
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@ -492,40 +492,57 @@ undo_routing() {
 }
 #
 # Save the default route
 #
 save_default_route() {
    awk \
    'BEGIN        {default=0;}; \
     /^default /  {default=1; print; next}; \
     /nexthop/    {if (default == 1 ) {print ; next} }; \
                  { default=0; };'
 }
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
-restore_default_route() {
+replace_default_route() # $1 = USE_DEFAULT_RT
 {
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
 	case "$default_route" in
 	    *metric*)
 	        #
 	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
 		;;
 	    *)
 		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		result=0
 		default_route=
 		;;
 	esac
    fi
 }
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
    result=1
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	result=1
 	while read route ; do
 	    case $route in
-		default)
+		default*)
-		    if [ -n "$default_route" ]; then
+		    replace_default_route $1
 			case "$default_route" in
 			    *metric*)
 		                #
 		                # Don't restore a route with a metric -- we only replace the one with metric == 0
 		                #
 				qt $IP -6 route delete default metric 0 && \
 				    progress_message "Default Route with metric 0 deleted"
 				;;
 			    *)
 				qt $IP -6 route replace $default_route && \
 				    result=0 && \
 				    progress_message "Default Route (${default_route# }) restored"
 				;;
 			esac
 			break
 		    fi
 		    default_route="$default_route $route"
 		    ;;
 		*)
@ -534,6 +551,20 @@ restore_default_route() {
 	    esac
 	done < ${VARDIR}/default_route
 	replace_default_route $1
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
 	    #
 	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
 	       #
 	       # But we added a default route with metric 0
 	       #
 	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
 	    fi
 	fi
 	rm -f ${VARDIR}/default_route
    fi
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,17 @@
 Changes in Shorewall 4.4.19.2
 None.
 Changes in Shorewall 4.4.19.1
 1)  Eliminate silly duplicate rule when stopped.
 2)  Don't believe that all nexthop routes are default routes.
 3)  Restore :<low port>-<high port> in masq file.
 4)  Correct default route safe/restore.
 Changes in Shorewall 4.4.19 Final
 1)  Update release documents.
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
@ -331,7 +331,7 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
 # Install wait4ifup
 #
-install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup 0755
 echo
 echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
@ -827,7 +827,7 @@ cd Perl
 install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
 echo
-echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
+echo "Compiler installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl"
 #
 # Install the params file helper
 #
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@ -1,3 +1,22 @@
 1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.
    Corrected in Shorewall 4.4.19.1
 2)  There is a harmless duplicate ACCEPT rule in the INPUT filter chain
    when the firewall is stopped.
    Corrected in Shorewall 4.4.19.1
 3)  Shorewall interprets all 'nexthop' routes as default routes when
    analyzing the pre-start routing configuration. This can lead to
    unwanted default routes when the firewall was started or stopped.
    Corrected in Shorewall 4.4.19.1
 3)  A defect introduced in Shorewall 4.4.17 broke the ability to
    specify ':<low port>-<high port>' in the ADDRESS column of 
    /etc/shorewall/masq.
    Corrected in Shorewall 4.4.19.1 
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 9
+                      S H O R E W A L L  4 . 4 . 1 9 . 2
 ----------------------------------------------------------------------------
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@ -13,6 +13,36 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 4.4.19.2
 None.
 4.4.19.1
 1)  A duplicate ACCEPT rule in the INPUT chain has been eliminated when
    the firewall is stopped.
 2)  A defect introduced in Shorewall 4.4.17 broke the ability to
    specify ':<low port>-<high port>' in the ADDRESS column of 
    /etc/shorewall/masq. 
 3)  Several long-standing defects having to do with default route
    save/restore have been corrected in the Multi-ISP implementation.
    a)   Shorewall previously interpreted all 'nexthop' routes as
    	 default routes when analyzing the pre-start routing
    	 configuration. This could lead to unwanted default routes when
    	 the firewall was started or stopped.
    b)   The default route with metric 0 was usually not restored
         during 'stop' processing.
    c)	 If there were multiple default routes in the main table prior
         to 'shorewall start' and USE_DEFAULT_RT was set, only the
         first one with metric 0 was deleted.
 4.4.19
 1)  Corrected a problem in optimize level 4 that resulted in the
    following compile-time failure.
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.19
-%define release 0base
+%define release 2
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -109,6 +109,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 %changelog
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-0base
 * Sun Apr 03 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.19
-%define release 0base
+%define release 2
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -94,6 +94,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-0base
 * Sun Apr 03 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.19
-%define release 0base
+%define release 2
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -98,6 +98,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
 * Sat Apr 16 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-0base
 * Sun Apr 03 2011 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.19
+VERSION=4.4.19.2
 usage() # $1 = exit status
 {