diff --git a/Shorewall/Shorewall/Rules.pm b/Shorewall/Shorewall/Rules.pm index bef7870c3..d2d83dd73 100644 --- a/Shorewall/Shorewall/Rules.pm +++ b/Shorewall/Shorewall/Rules.pm @@ -314,7 +314,7 @@ sub setup_blacklist() { if ( $first_entry ) { unless ( @$hosts ) { - warning_message q(The entries in $fn have been ignored because there are no 'blacklist' interfaces); + warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces); close_file; last BLACKLIST; } diff --git a/Shorewall/Shorewall/Zones.pm b/Shorewall/Shorewall/Zones.pm index b2c77cbf1..eee498c3d 100644 --- a/Shorewall/Shorewall/Zones.pm +++ b/Shorewall/Shorewall/Zones.pm @@ -600,8 +600,8 @@ sub validate_interfaces_file( $ ) ENUM_IF_OPTION => 3, NUMERIC_IF_OPTION => 4, OBSOLETE_IF_OPTION => 5, + IPLIST_IF_OPTION => 6, MASK_IF_OPTION => 7, - IF_OPTION_ZONEONLY => 8 }; my %validoptions; @@ -615,6 +615,7 @@ sub validate_interfaces_file( $ ) dhcp => SIMPLE_IF_OPTION, maclist => SIMPLE_IF_OPTION, logmartians => BINARY_IF_OPTION, + nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY, norfc1918 => SIMPLE_IF_OPTION, nosmurfs => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION, @@ -650,6 +651,8 @@ sub validate_interfaces_file( $ ) while ( read_a_line ) { + my $nets; + if ( $first_entry ) { progress_message2 "$doing $fn..."; $first_entry = 0; @@ -737,7 +740,7 @@ sub validate_interfaces_file( $ ) if ( $options ) { - for my $option (split_list $options, 'option' ) { + for my $option (split_list1 $options, 'option' ) { next if $option eq '-'; ( $option, my $value ) = split /=/, $option; @@ -776,6 +779,13 @@ sub validate_interfaces_file( $ ) my $numval = numeric_value $value; fatal_error "Invalid value ($value) for option $option" unless defined $numval; $options{$option} = $numval; + } elsif ( $type == IPLIST_IF_OPTION ) { + fatal_error "The $option option requires a value" unless defined $value; + fatal_error "Duplicate $option option" if $nets; + $value =~ s/\)$// if $value =~ s/^\(//; + $value = join ',' , ALLIP , $value if $value =~ /^!/; + $nets = [ split_list $value, 'address' ]; + $options{broadcast} = 1; } else { warning_message "Support for the $option interface option has been removed from Shorewall-perl"; } @@ -803,9 +813,9 @@ sub validate_interfaces_file( $ ) push @ifaces, $interface; - my @networks = allip; + $nets = [ allip ] unless $nets; - add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone; + add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $optionsref ) if $zone; $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c6132f835..ba8bb06ed 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,2 +1,9 @@ Changes in Shorewall 4.3.5 +1) Remove support for shorewall-shell. + +2) Combine shorewall-common and shorewall-perl to product shorewall. + +3) Add nets= OPTION in interfaces file. + + diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 29d806880..3157e9f8f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -4,6 +4,13 @@ Shorewall 4.3.5 R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- +1) Support for Shorewall-shell has been discontinued. Shorewall-perl + has been combined with Shorewall-common to produce a single + Shorewall package. + +2) The interfaces file OPTIONs have been extended to largely remove the + need for the hosts file. + Problems corrected in 4.3.5 None. @@ -14,3 +21,60 @@ None. New Features in Shorewall 4.3.5 +New Features in Shorewall 4.4 + +1) The Shorewall packaging has been completely revamped in Shorewall + 4.4. + + The new packages are: + + - Shorewall. Includes the former Shorewall-common and + Shorewall-perl packages. Includes everything needed + to create an IPv4 firewall. + + - Shorewall6. Requires Shorewall. Adds the components necessary to + create an IPv6 firewall. + + - Shorewall-lite + + May be installed on a firewall system to run + IPv4 firewall scripts generated by Shorewall. + + - Shorewall6-lite + + May be installed on a firewall system to run + IPv6 firewall scripts generated by Shorewall. + +2) The interfaces file supports a new 'nets=' option. This option + allows users to restrict a zone's definition to particular networks + through an interface without having to use the hosts file. + + Example interfaces file: + + #ZONE INTERFACE BROADCAST OPTIONS + loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24 + dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177 + net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) + net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177) + loc tun+ detect nets=172.20.0.0/24 + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + Note that when more than one network address is listed, the list + must be enclosed in parentheses. Notice also that exclusion may be + used. + + The first entry in the above interfaces file is equivalent to the + following: + + interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + - eth0 detect dhcp,logmartians=1,routefilter=1 + + hosts: + + #ZONE HOST(S) OPTIONS + loc $INT_IF:192.20.1.0/24 broadcast + + Note that the 'broadcast' option is automatically assumed and need + not be explicitly specified.