forked from extern/shorewall_code
More revert conflicts
This commit is contained in:
parent
bab4f9df33
commit
f88048ebe4
@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
@ -146,6 +146,8 @@ DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
@ -407,6 +407,9 @@ sub generate_script_3($) {
|
||||
' rm -f ${VARDIR}/nat',
|
||||
"fi\n" );
|
||||
}
|
||||
|
||||
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
|
||||
|
||||
} else {
|
||||
emit ( '#',
|
||||
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
|
||||
|
@ -188,7 +188,7 @@ our %config;
|
||||
#
|
||||
# Config options and global settings that are to be copied to object script
|
||||
#
|
||||
our @propagateconfig = qw/ MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
|
||||
our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
|
||||
our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
|
||||
#
|
||||
# From parsing the capabilities file or detecting capabilities
|
||||
@ -2306,8 +2306,7 @@ sub get_configuration( $ ) {
|
||||
|
||||
default_yes_no 'ADMINISABSENTMINDED' , '';
|
||||
default_yes_no 'BLACKLISTNEWONLY' , '';
|
||||
|
||||
warning_message 'DISABLE_IPV6=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DISABLE_IPV6};
|
||||
default_yes_no 'DISABLE_IPV6' , '';
|
||||
|
||||
unsupported_yes_no 'DYNAMIC_ZONES';
|
||||
unsupported_yes_no 'BRIDGING';
|
||||
|
@ -31,6 +31,14 @@ clear_firewall() {
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if [ -n "$DISABLE_IPV6" ]; then
|
||||
if qt mywhich ip6tables; then
|
||||
ip6tables -P INPUT ACCEPT 2> /dev/null
|
||||
ip6tables -P OUTPUT ACCEPT 2> /dev/null
|
||||
ip6tables -P FORWARD ACCEPT 2> /dev/null
|
||||
fi
|
||||
fi
|
||||
|
||||
run_clear_exit
|
||||
|
||||
set_state "Cleared"
|
||||
|
@ -853,6 +853,28 @@ detect_gateway() # $1 = interface
|
||||
[ -n "$gateway" ] && echo $gateway
|
||||
}
|
||||
|
||||
#
|
||||
# Disable IPV6
|
||||
#
|
||||
disable_ipv6() {
|
||||
local foo
|
||||
foo="$($IP -f inet6 addr list 2> /dev/null)"
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt mywhich ip6tables; then
|
||||
ip6tables -P FORWARD DROP
|
||||
ip6tables -P INPUT DROP
|
||||
ip6tables -P OUTPUT DROP
|
||||
ip6tables -F
|
||||
ip6tables -X
|
||||
ip6tables -A OUTPUT -o lo -j ACCEPT
|
||||
ip6tables -A INPUT -i lo -j ACCEPT
|
||||
else
|
||||
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||
# rather than ${v:first:last} because light-weight shells like ash and
|
||||
# dash do not support that form of expansion.
|
||||
|
@ -1,8 +1,6 @@
|
||||
Changes in Shorewall 4.4.0-Beta4
|
||||
|
||||
1) Delete DISABLE_IPV6.
|
||||
|
||||
2) Add more macros.
|
||||
1) Add more macros.
|
||||
|
||||
Changes in Shorewall 4.4.0-Beta3
|
||||
|
||||
|
@ -137,6 +137,8 @@ DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
DYNAMIC_ZONES=No
|
||||
|
@ -109,17 +109,33 @@ Shorewall 4.4.0 Beta 4
|
||||
As part of this change, the fallback.sh scripts are no longer
|
||||
released.
|
||||
|
||||
9) The DISABLE_IPV6 option has been removed from Shorewall.conf. If
|
||||
you need to control IPV6 traffic, install Shorewall6.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 4
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 3
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) The BGP and OSFP macros released in Beta 3 contained rules to allow
|
||||
administrative access to the related routing daemons. Those rules
|
||||
have been deleted.
|
||||
|
||||
2) Previously, if Address Type Match was not available and an
|
||||
interface on the firewall was (mis-)configured as shown below, then
|
||||
REJECT policies in Shorewall-perl would drop packets addressed to
|
||||
the interface rather than reject them.
|
||||
|
||||
3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 ...
|
||||
inet 127.0.0.1/32 scope host venet0
|
||||
inet 206.124.146.176/32 brd 206.124.146.176 ...
|
||||
|
||||
Note that a /32 should never be configured with a broadcast
|
||||
address.
|
||||
|
||||
3) Due to a syntax ambiguity arising from the new dynamic zone
|
||||
implementation, 'shorewall show dynamic' produced no output. It now
|
||||
shows the contents of the dynamic blacklist as in earlier
|
||||
Shorewall releases.
|
||||
|
||||
4) The 'findgw' script produced an error if VERBOSITY > 0.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
@ -138,7 +154,7 @@ None.
|
||||
macro.RIPbi
|
||||
macro.mDNS
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S IN 4 . 4
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
@ -767,16 +783,3 @@ None.
|
||||
26) A new extension script, 'lib.private' has been added. This file is
|
||||
intended to include declarations of shell functions that will be
|
||||
called by the other run-time extension scripts.
|
||||
|
||||
27) Three new macros have been contributed by Alex Wilms.
|
||||
|
||||
macro.BGP
|
||||
macro.Citrix
|
||||
macro.OSPF
|
||||
macro.Razor
|
||||
|
||||
28) The Shorewall compiler now checks for availability of the LOG
|
||||
target if the configuration does any logging. This change involves
|
||||
a new version of the capabilities file so users employing a
|
||||
capabilties file should re-generate that file before trying to
|
||||
start/restart Shorewall.
|
||||
|
Loading…
Reference in New Issue
Block a user