holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Deprecate IMPLICIT_CONTINUE=Yes with warning message

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8229 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-02-24 16:33:46 +00:00
parent d413d6623a
commit e0a9add260
8 changed files with 53 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples/one-interface/shorewall.conf
View File

@ -160,7 +160,7 @@ MAPOLDACTIONS=No
FASTACCEPT=No FASTACCEPT=No
IMPLICIT_CONTINUE=Yes IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No HIGH_ROUTE_MARKS=No

2
Samples/three-interfaces/shorewall.conf
View File

@ -162,7 +162,7 @@ MAPOLDACTIONS=No
FASTACCEPT=No FASTACCEPT=No
IMPLICIT_CONTINUE=Yes IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No HIGH_ROUTE_MARKS=No

2
Samples/two-interfaces/shorewall.conf
View File

@ -160,7 +160,7 @@ MAPOLDACTIONS=No
FASTACCEPT=No FASTACCEPT=No
IMPLICIT_CONTINUE=Yes IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No HIGH_ROUTE_MARKS=No

4
Shorewall-common/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in 4.1.6
1) Deprecate IMPLICIT_CONTINUE=Yes
Changes in 4.1.5 Changes in 4.1.5
1) More ruleset optimization. 1) More ruleset optimization.

114
Shorewall-common/releasenotes.txt
View File

@ -62,84 +62,17 @@ Migration Issues.
b) Explicitly set LOG_MARTIONS=No to maintain compatibility with b) Explicitly set LOG_MARTIONS=No to maintain compatibility with
prior versions of Shorewall. prior versions of Shorewall.
5) IMPLICIT_CONTINUE=Yes is now deprecated and a warning message is
issued if you have that setting and nested zones are defined in
/etc/shorewall/shorewall.conf. The warning may be eliminated by
setting IMPLICIT_CONTINUE=No and adding explicit CONTINUE policies
where needed.
Problems corrected in 4.1.5. Problems corrected in 4.1.5.
1) An optimization added to Shorewall-shell in 4.0.0 has been backed None.
out to work around a limitation of Busybox 'sed'.
2) Previously, Shorewall would accept both an interface and an IP New Features in 4.1.6.
address in tcrules POSTROUTING entries (such as CLASSIFY).
Example:
1:11 eth1:192.168.4.9 - tcp 22
It also allows both a destination interface and address.
Example:
1:P - eth1:192.168.4.9 tcp 22
Because Netfilter does not allow an input interface to be specified
in POSTROUTING or an output interface to be specified in
PREROUTING, Shorewall must use the routing table to generate a list
of networks accessed through any interface specified in these
cases. Given that a specific address (or set of addresses) has
already been specified, it makes no sense qualify it (them) by
another list of addresses.
3) Shorewall-perl incorrectly generated a fatal error when ':C',
':T' or ':CT' was used in a tcrules entry that gave $FW as the
SOURCE.
New Features in 4.1.5.
1) The need for interface-specific chains (such as eth0_in, eth4_fwd,
etc.) in the filter table has been drastically reduced. This has
the effect of reducing the average number of rules that each packet
must traverse.
2) The default value for LOG_MARTIANS is now 'Yes' ('On' in
Shorewall-perl). Previously, the default value was 'No' ('Off' in
Shorewall-perl). The shorewall.conf file has also been
updated to specify a value of 'Yes' (which is interpreted as 'On'
by Shorewall-perl).
3) The /usr/share/shorewall/modules file has been updated to reflect
module renaming in kernel 2.6.25.
4) Some users are experiencing 'File Exists' errors when Shorewall
executes 'ip route replace' commands. I consider this a bug in
either kernel 2.6.24 or in iproute2 but until the issue is
resolved, I've added a hack to work around the problem.
If you are experiencing these problems then add the following line
to your shorewall.conf file:
BROKEN_ROUTING=Yes
Note: This hack is only available in Shorewall-perl.
4) Shorewall-perl now generates an error when a MAC address appears in
a traffic shaping rule in the OUTPUT or POSTROUTING chains.
5) Macros are now self-commenting under control of a new AUTO_COMMENT
option in shorewall.conf. When this option is set, if there is not
a current comment when a macro is invoked, the behavior under
Shorewall-perl is as if the first line of the macro file was
"COMMENT <macro name>".
So, if you have this rule:
SSH/ACCEPT loc fw
then the generated netfilter rule will include "/* SSH */" when
viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
dump'.
The AUTO_COMMENT option has a default value of 'Yes' and is only
available under Shorewall-perl The option is ignored by
Shorewall-shell.
New Features in Shorewall 4.1. New Features in Shorewall 4.1.
@ -564,4 +497,35 @@ New Features in Shorewall 4.1.
filter chain per zone but in most cases, the average number of filter chain per zone but in most cases, the average number of
filter rules traversed by a connection request will be reduced. filter rules traversed by a connection request will be reduced.
20) The need for interface-specific chains (such as eth0_in, eth4_fwd,
etc.) in the filter table has been drastically reduced. This has
the effect of reducing the average number of rules that each packet
must traverse.
21) The default value for LOG_MARTIANS is now 'Yes' ('On' in
Shorewall-perl). Previously, the default value was 'No' ('Off' in
Shorewall-perl). The shorewall.conf file has also been
updated to specify a value of 'Yes' (which is interpreted as 'On'
by Shorewall-perl).
22) Shorewall-perl now generates an error when a MAC address appears in
a traffic shaping rule in the OUTPUT or POSTROUTING chains.
23) Macros are now self-commenting under control of a new AUTO_COMMENT
option in shorewall.conf. When this option is set, if there is not
a current comment when a macro is invoked, the behavior under
Shorewall-perl is as if the first line of the macro file was
"COMMENT <macro name>".
So, if you have this rule:
SSH/ACCEPT loc fw
then the generated netfilter rule will include "/* SSH */" when
viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
dump'.
The AUTO_COMMENT option has a default value of 'Yes' and is only
available under Shorewall-perl The option is ignored by
Shorewall-shell.

2
Shorewall-common/shorewall.conf
View File

@ -159,7 +159,7 @@ MAPOLDACTIONS=No
FASTACCEPT=No FASTACCEPT=No
IMPLICIT_CONTINUE=Yes IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No HIGH_ROUTE_MARKS=No

3
Shorewall-perl/Shorewall/Policy.pm
View File

@ -173,6 +173,8 @@ sub validate_policy()
my $zone; my $zone;
my $warned = 0;
for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ { for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
my $action = $config{$option}; my $action = $config{$option};
next if $action eq 'none'; next if $action eq 'none';
@ -196,6 +198,7 @@ sub validate_policy()
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL ); push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
warning_message "IMPLICT_CONTINUE=Yes is deprecated" unless $warned++;
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
unless( $zone eq $zone1 ) { unless( $zone eq $zone1 ) {
add_or_modify_policy_chain( $zone, $zone1 ); add_or_modify_policy_chain( $zone, $zone1 );

3
Shorewall-shell/compiler
View File

@ -481,6 +481,8 @@ validate_policy()
ALL_POLICY_CHAINS= ALL_POLICY_CHAINS=
warned=
for zone in $ZONES $FW; do for zone in $ZONES $FW; do
chain=${zone}2${zone} chain=${zone}2${zone}
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
@ -492,6 +494,7 @@ validate_policy()
if [ -n "$IMPLICIT_CONTINUE" ]; then if [ -n "$IMPLICIT_CONTINUE" ]; then
eval parents=\$${zone}_parents eval parents=\$${zone}_parents
if [ -n "$parents" ]; then if [ -n "$parents" ]; then
[ -z "$warned" ] && error_message "WARNING: IMPLICIT_CONTINUE=Yes is deprecated" && warned=Yes
for zone1 in $ZONES $FW; do for zone1 in $ZONES $FW; do
if [ $zone != $zone1 ]; then if [ $zone != $zone1 ]; then
chain=${zone}2${zone1} chain=${zone}2${zone1}