forked from extern/shorewall_code
Flag dynamically added host groups in /var/lib/shorewall/zones
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6344 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3aec0bd800
commit
e80887169f
@ -1,5 +1,11 @@
|
|||||||
Changes in 3.9.8
|
Changes in 3.9.8
|
||||||
|
|
||||||
|
1) Fix add/delete <interface>.
|
||||||
|
|
||||||
|
2) Fix do_proto() and 'use IPConfig' in Providers.pm.
|
||||||
|
|
||||||
|
3) Implement dynamic host group detection.
|
||||||
|
|
||||||
Changes in 3.9.7
|
Changes in 3.9.7
|
||||||
|
|
||||||
1) Clean up release notes.
|
1) Clean up release notes.
|
||||||
|
@ -390,7 +390,7 @@ validate_interfaces_file() {
|
|||||||
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
|
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
error_message "WARNING: Invalid option ($option) in record \"$r\""
|
[ $PROGRAM = compiler ] && error_message "WARNING: Invalid option ($option) in record \"$r\""
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
@ -126,9 +126,9 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
for h in $hostlist; do
|
for h in $hostlist; do
|
||||||
list_search $h $hosts
|
list_search +$h $hosts
|
||||||
if [ "$?" -gt 0 ]; then
|
if [ "$?" -gt 0 ]; then
|
||||||
newhostlist="$newhostlist $h"
|
newhostlist="$newhostlist +$h"
|
||||||
else
|
else
|
||||||
error_message "$h already in zone $zone"
|
error_message "$h already in zone $zone"
|
||||||
fi
|
fi
|
||||||
@ -155,6 +155,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
|
|||||||
# Isolate interface and host parts
|
# Isolate interface and host parts
|
||||||
#
|
#
|
||||||
interface=${newhost%%:*}
|
interface=${newhost%%:*}
|
||||||
|
interface=${interface#+}
|
||||||
host=${newhost#*:}
|
host=${newhost#*:}
|
||||||
#
|
#
|
||||||
# If the zone passed in the command has a dnat chain then insert a rule in
|
# If the zone passed in the command has a dnat chain then insert a rule in
|
||||||
@ -308,19 +309,25 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
for host in $hostlist; do
|
for host in $hostlist; do
|
||||||
found=
|
found=
|
||||||
for h in $temp; do
|
for h in $temp; do
|
||||||
if [ "$h" = "$host" ]; then
|
if [ "$h" = "+$host" ]; then
|
||||||
found=Yes
|
found=Yes
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$h" = "$host" ]; then
|
||||||
|
found=No
|
||||||
|
break
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
|
[ -n "$found" ] || error_message "WARNING: $host does not appear to be in zone $zone"
|
||||||
|
[ "$found" = No ] && startup_error "$host is a permanent member of zone $zone"
|
||||||
done
|
done
|
||||||
|
|
||||||
for h in $temp; do
|
for h in $temp; do
|
||||||
found=
|
found=
|
||||||
for host in $hostlist; do
|
for host in $hostlist; do
|
||||||
if [ "$h" = "$host" ]; then
|
if [ "$h" = "+$host" ]; then
|
||||||
found=Yes
|
found=Yes
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
Shorewall 3.9.7
|
Shorewall 3.9.8
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
R E L E A S E H I G H L I G H T S
|
R E L E A S E H I G H L I G H T S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
@ -15,74 +15,45 @@ Shorewall 3.9.7
|
|||||||
You must install Shorewall and at least one of the compiler packages
|
You must install Shorewall and at least one of the compiler packages
|
||||||
(you may install them both).
|
(you may install them both).
|
||||||
|
|
||||||
Problems corrected in 3.9.7.
|
Problems corrected in 3.9.8.
|
||||||
|
|
||||||
1) Several problems relating to exclusion in the hosts file have been
|
1) The commands "shorewall add/delete <interface> <zone>" no longer
|
||||||
corrected.
|
case lots of error messages to be issued.
|
||||||
|
|
||||||
Symptoms included:
|
2) A port list in a SOURCE PORT(S) column now works when the DEST
|
||||||
|
PORT(S) list is empty.
|
||||||
|
|
||||||
Access to an undefined value at Rules.pm line 1656.
|
3) A run-time error no longer occurs when an IP address is specified
|
||||||
Incorrect rule generation.
|
in the GATEWAY column of /etc/shorewall/providers.
|
||||||
|
|
||||||
2) Specifying 'maclist' in the hosts file's OPTION column now works.
|
Other changes in Shorewall 3.9.8.
|
||||||
|
|
||||||
3) A number of problems with handling the hosts file have been
|
1) The "shorewall show zones" command now flags zone members that have
|
||||||
corrected. These problems are characterized by Perl run-time
|
been added using "shorewall add" by preceding them with a plus sign
|
||||||
errors and incorrect rules, including:
|
("+").
|
||||||
|
|
||||||
- Not an ARRAY reference at
|
Example:
|
||||||
/usr/share/shorewall-perl/Shorewall/Rules.pm line 1420.
|
|
||||||
|
|
||||||
- -A eth0_fwd -s 192.168.0.0/24-m policy --dir in --pol ipsec -j
|
Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
|
||||||
HASH(0x8345924)->n{name}
|
|
||||||
|
|
||||||
4) A value of 'detect' in the GATEWAY column of the providers file no
|
fw (firewall)
|
||||||
longer generates an error during [re]start.
|
net (ipv4)
|
||||||
|
eth0:0.0.0.0/0
|
||||||
|
loc (ipv4)
|
||||||
|
br0:0.0.0.0/0
|
||||||
|
eth4:0.0.0.0/0
|
||||||
|
eth5:0.0.0.0/0
|
||||||
|
+eth1:0.0.0.0/0
|
||||||
|
dmz (ipv4)
|
||||||
|
eth3:0.0.0.0/0
|
||||||
|
vpn (ipv4)
|
||||||
|
tun+:0.0.0.0/0
|
||||||
|
|
||||||
5) The command 'shorewall check -p' resulted in an indefinite loop.
|
In the above output, "eth1:0.0.0.0/0" was dynamically added to the
|
||||||
|
'loc' zone. As part of this change, "shorewall delete" will only
|
||||||
6) A number of problems having to do with SECTIONs in the rules file
|
delete entries that have been added dynamically. In earlier
|
||||||
have been corrected.
|
versions, any entry could be deleted although the ruleset was only
|
||||||
|
changed by deleting entries that had been added dynamically.
|
||||||
7) The mss zone option now works correctly.
|
|
||||||
|
|
||||||
8) The LOGBURST and LOGLIMIT options in shorewall.conf now work
|
|
||||||
correctly
|
|
||||||
|
|
||||||
9) Previously, COMMENT lines could result in invalid iptables-restore
|
|
||||||
input being generated. The quote marks around the comment string
|
|
||||||
were being removed during iptables-restore input generation.
|
|
||||||
|
|
||||||
Other changes in Shorewall 3.9.7.
|
|
||||||
|
|
||||||
1) Shorewall-perl now validates all IP addresses and addresses ranges
|
|
||||||
in rules. DNS names are resolved and an error is issued for any
|
|
||||||
name that cannot be resolved.
|
|
||||||
|
|
||||||
2) Shorewall-perl now checks configuration files for the presense of
|
|
||||||
characters that can cause problems if they are allowed into the
|
|
||||||
generated firewall script:
|
|
||||||
|
|
||||||
- Double Quotes. These are prohibited except in the
|
|
||||||
shorewall.conf and params files.
|
|
||||||
|
|
||||||
- Single Quotes. These are prohibited except in the
|
|
||||||
shorewall.conf and params files and in COMMENT lines.
|
|
||||||
|
|
||||||
- Single back quotes. These are prohibited except in the
|
|
||||||
shorewall.conf and params files.
|
|
||||||
|
|
||||||
- Backslash. Probibited except as the last character on a line to
|
|
||||||
denote line continuation.
|
|
||||||
|
|
||||||
3) Macros may now invoke other macros with the restriction that such
|
|
||||||
macros may not be invoked within an action body.
|
|
||||||
|
|
||||||
When marcros are invoked recursively, the parameter passed to an
|
|
||||||
invocation are automatically propagated to lower level macros.
|
|
||||||
|
|
||||||
Macro invocations may be nested to a maximum level of 5.
|
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
@ -458,6 +429,35 @@ Migration Considerations:
|
|||||||
bi-directional macro definitions which use these as names as key
|
bi-directional macro definitions which use these as names as key
|
||||||
words.
|
words.
|
||||||
|
|
||||||
|
9) Shorewall-perl now validates all IP addresses and addresses ranges
|
||||||
|
in rules. DNS names are resolved and an error is issued for any
|
||||||
|
name that cannot be resolved.
|
||||||
|
|
||||||
|
10) Shorewall-perl now checks configuration files for the presense of
|
||||||
|
characters that can cause problems if they are allowed into the
|
||||||
|
generated firewall script:
|
||||||
|
|
||||||
|
- Double Quotes. These are prohibited except in the
|
||||||
|
shorewall.conf and params files.
|
||||||
|
|
||||||
|
- Single Quotes. These are prohibited except in the
|
||||||
|
shorewall.conf and params files and in COMMENT lines.
|
||||||
|
|
||||||
|
- Single back quotes. These are prohibited except in the
|
||||||
|
shorewall.conf and params files.
|
||||||
|
|
||||||
|
- Backslash. Probibited except as the last character on a line to
|
||||||
|
denote line continuation.
|
||||||
|
|
||||||
|
11) Under Shorewall-perl, macros may now invoke other macros with the
|
||||||
|
restriction that such macros may not be invoked within an action
|
||||||
|
body.
|
||||||
|
|
||||||
|
When marcros are invoked recursively, the parameter passed to an
|
||||||
|
invocation are automatically propagated to lower level macros.
|
||||||
|
|
||||||
|
Macro invocations may be nested to a maximum level of 5.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
P R E R E Q U I S I T E S
|
P R E R E Q U I S I T E S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user