From e4433f4b8f695500d28249909de07332a05f5441 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 18 Aug 2005 20:18:08 +0000 Subject: [PATCH] Remove documentation for find_interface_by_mac() git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2521 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 +--- Shorewall/firewall | 13 +++++++++++-- Shorewall/policy | 6 ++++++ Shorewall/releasenotes.txt | 33 --------------------------------- 4 files changed, 18 insertions(+), 38 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 08341ed0a..c4d7eaa73 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -7,9 +7,7 @@ Changes in 2.5.3 3) Set COMMAND=restore in restore-base. -4) Implement find_interface_by_mac() - -5) Allow exclusion lists in actions. +4) Allow exclusion lists in actions. Changes in 2.5.2 diff --git a/Shorewall/firewall b/Shorewall/firewall index dca174ef8..751f30f72 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1406,6 +1406,14 @@ validate_policy() ALL_POLICY_CHAINS= + for zone in $ZONES $FW; do + chain=${zone}2${zone} + eval ${chain}_is_policy=Yes + eval ${chain}_is_optional=Yes + eval ${chain}_policy=ACCEPT + ALL_POLICY_CHAINS="$ALL_POLICY_CHAINS $chain" + done + strip_file policy while read client server policy loglevel synparams; do @@ -1472,7 +1480,7 @@ validate_policy() chain=${client}2${server} if is_policy_chain $chain ; then - startup_error "Duplicate policy $policy" + startup_error "Duplicate policy: $client $server $policy" fi [ "x$loglevel" = "x-" ] && loglevel= @@ -7724,6 +7732,7 @@ apply_policy_rules() { eval loglevel=\$${chain}_loglevel eval synparams=\$${chain}_synparams eval epolicy=\$${chain}_epolicy + eval optional=\$${chain}_is_optional [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel @@ -7731,7 +7740,7 @@ apply_policy_rules() { [ "$epolicy" = ACCEPT ] && ordinal=2 || ordinal=3 [ -n "$synparams" ] && \ run_iptables -I $chain $ordinal -p tcp --syn -j @$chain - elif [ "$policy" != CONTINUE ]; then + elif [ -z "$optional" -a "$policy" != CONTINUE ]; then # # The chain doesn't exist. Create the chain and add policy # rules diff --git a/Shorewall/policy b/Shorewall/policy index 815c4aaf4..2eaecd34c 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -10,6 +10,12 @@ # source/destination pair, the file is processed in order until a # match is found ("all" will match any client or server). # +# INTRA-ZONE POLICIES ARE PRE-DEFINED +# +# For $FW and for all of the zoned defined in /etc/shorewall/zones, +# the POLICY for connections from the zone to itself is ACCEPT and may +# not be modified by entries in this file. +# # Columns are: # # SOURCE Source zone. Must be the name of a zone defined diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c8174c298..b1df55613 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -17,23 +17,6 @@ New Features in Shorewall 2.5.3 scripts. The value of this variable is sometimes of interest to programmers providing custom /etc/shorewall/tcstart scripts. -4) If you have problems with ethernet interfaces switching names when - your system is rebooted, you can now work around the problem. For - each interface, select a shell variable name and set the variable - to the value echoed by the 'find_interface_by_mac' function. - - Example: To set EXT_IF to the interface with MAC address - 00:02:e3:08:55:fa, in /etc/shorewall/params: - - EXT_IF=$(find_interface_by_mac 00:02:e3:08:55:fa) - - Now simply use $EXT_IF any time that you wish to refer to that - interface. - - WARNING: If you have this problem, you will not wish to use the - "-f" option in the Shorewall SysV init script (usually named - /etc/init.d/shorewall). - Problems Corrected in 2.5.2: 1) You may now include port lists in in the /etc/shorewall/accounting @@ -408,20 +391,4 @@ New Features in Shorewall 2.5.* scripts. The value of this variable is sometimes of interest to programmers providing custom /etc/shorewall/tcstart scripts. -14) If you have problems with ethernet interfaces switching names when - your system is rebooted, you can now work around the problem. For - each interface, select a shell variable name and set the variable - to the value echoed by the 'find_interface_by_mac' function. - - Example: To set EXT_IF to the interface with MAC address - 00:02:e3:08:55:fa, in /etc/shorewall/params: - - EXT_IF=$(find_interface_by_mac 00:02:e3:08:55:fa) - - Now simply use $EXT_IF any time that you wish to refer to that - interface. - - WARNING: If you have this problem, you will not wish to use the - "-f" option in the Shorewall SysV init script (usually named - /etc/init.d/shorewall).