holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Apply Steven Springl's Port Patch

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5983 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-04-17 20:59:10 +00:00
parent b0b5a067d7
commit d7f5925bc4
3 changed files with 22 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 3.9.3
1) Apply Steven Springl's patch for port checking.
Changes in 3.9.2 Changes in 3.9.2
1) Implement '-C {shell|perl}'. 1) Implement '-C {shell|perl}'.

74
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 3.9.2 Shorewall 3.9.3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S R E L E A S E H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -15,75 +15,19 @@ Shorewall 3.9.2
You must install Shorewall and at least one of the compiler packages You must install Shorewall and at least one of the compiler packages
(you may install them both). (you may install them both).
Problems corrected in Shorewall 3.9.2 Problems corrected in Shorewall 3.9.3
1) When the -e flag was passed to the compiler, the generated script 1) If a rule specified a source or destination port of 0 for TCP or UDP it was
looked for the file /usr/share/shorewall/lib.base. This totally ignored.
broke Shorewall Lite.
2) The params file was being copied into the generated script The test for the presence of a source or destination port if the protocol is
independent of the setting of EXPORTPARAMS. not specified also ignored port 0.
3) The 'refresh' command no longer fails with an error Patch courtesy of Steven Springl.
'define_firewalll: not found'.
5) An wildcard interface in /etc/shorewall/hosts resulted in a Other changes in Shorewall 3.9.3
compilation error.
Example: None.
vpn tun+:0.0.0.0/0 ipsec
6) Non-calculated rates that specified a unit resulted in a
compilation error. Non-calculated rates are those that are not
calculated from 'full'.
Example:
eth1.100 1 24kbit full 2 default
------
7) When shorewall-shell was not installed, 'shorewall stop' and
'shorewall clear' failed with the diagnostic:
ERROR: USE_ACTIONS=Yes requires the Shorewall Library actions
(/usr/share/shorewall-shell/lib.actions) which is not installed.
8) When shorewall-shell was not installed, 'shorewall add' and
'shorewall clear' failed with the diagnostic:
ERROR: The add command requires the Shorewall library dynamiczones
(/usr/share/shorewall-shell/lib.dynamiczones) which is not
installed
With shorewall-shell installed, 'shorewall add' failed with:
ERROR: Only one firewall zone may be defined
9) 'shorewall add' and 'shorewall delete' now work again.
10) A syntax error in the lib.base Shell library has been corrected.
11) When ROUTE_FILTER=Yes in shorewall.conf, Shorewall no longer clears
the rp_filter flag for all interfaces.
12) When LOG_MARTIANS=Yes in shorewall.conf, Shorewall no longer clears
the log_martians flag for all interfaces.
13) Thanks to Steven Springl, various problems with ICMP rules have
been corrected.
Other changes in Shorewall 3.9.2
1) A LOCKFILE option has been added to shorewall.conf. This file is
used to serialize updates to the active firewall configuration.
If not specified, the defaults are:
Shorewall - /var/lib/shorewall/lock
Shorewall Lite - /var/lib/shorewall-lite/lock
2) A new IPPserver macro has been added for CUPS print servers.
Migration Considerations: Migration Considerations:

13
Shorewall-perl/Shorewall/Chains.pm
View File

@ -644,9 +644,9 @@ sub do_proto( $$$ )
if ( $proto ) { if ( $proto ) {
if ( $proto =~ /^(tcp|udp|6|17)$/i ) { if ( $proto =~ /^(tcp|udp|6|17)$/i ) {
$output = "-p $proto "; $output = "-p $proto ";
if ( $ports ) {
my @ports = split /,/, $ports; my @ports = split /,/, $ports;
my $count = @ports; my $count = @ports;
if ( $count ) {
if ( $count > 1 ) { if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT}; fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
@ -666,9 +666,9 @@ sub do_proto( $$$ )
} }
} }
if ( $sports ) { @ports = split /,/, $sports;
my @ports = split /,/, $sports; $count = @ports;
my $count = @ports; if ( $count ) {
if ( $count > 1 ) { if ( $count > 1 ) {
fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT}; fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
@ -693,16 +693,17 @@ sub do_proto( $$$ )
fatal_error 'Multiple ICMP types are not permitted' if $count > 1; fatal_error 'Multiple ICMP types are not permitted' if $count > 1;
$output .= "-p icmp "; $output .= "-p icmp ";
$output .= "--icmp-type $ports " if $count; $output .= "--icmp-type $ports " if $count;
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ""; fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) { } elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
require_capability( 'IPP2P' , 'PROTO = ipp2p' ); require_capability( 'IPP2P' , 'PROTO = ipp2p' );
$proto = $2 ? $3 : 'tcp'; $proto = $2 ? $3 : 'tcp';
$ports = 'ipp2p' unless $ports; $ports = 'ipp2p' unless $ports;
$output .= "-p $proto -m ipp2p --$ports "; $output .= "-p $proto -m ipp2p --$ports ";
} else { } else {
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto, rule \"$line\"" if $ports ne '' || $sports ne '';
$output .= "-p $proto "; $output .= "-p $proto ";
} }
} elsif ( $ports || $sports ) { } elsif ( $ports ne '' || $sports ne '' ) {
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO, rule \"$line\"" fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO, rule \"$line\""
} }