holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More revert conflicts

Browse Source
This commit is contained in:
Tom Eastep 2009-07-06 18:23:23 -07:00
parent bab4f9df33
commit f88048ebe4
10 changed files with 65 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples/one-interface/shorewall.conf
View File

@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

2
Samples/three-interfaces/shorewall.conf
View File

@ -139,6 +139,8 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

2
Samples/two-interfaces/shorewall.conf
View File

@ -146,6 +146,8 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

3
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -407,6 +407,9 @@ sub generate_script_3($) {
' rm -f ${VARDIR}/nat', ' rm -f ${VARDIR}/nat',
"fi\n" ); "fi\n" );
} }
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else { } else {
emit ( '#', emit ( '#',
'# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',

5
Shorewall/Perl/Shorewall/Config.pm
View File

@ -188,7 +188,7 @@ our %config;
# #
# Config options and global settings that are to be copied to object script # Config options and global settings that are to be copied to object script
# #
our @propagateconfig = qw/ MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /; our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /; our @propagateenv = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
# #
# From parsing the capabilities file or detecting capabilities # From parsing the capabilities file or detecting capabilities
@ -2306,8 +2306,7 @@ sub get_configuration( $ ) {
default_yes_no 'ADMINISABSENTMINDED' , ''; default_yes_no 'ADMINISABSENTMINDED' , '';
default_yes_no 'BLACKLISTNEWONLY' , ''; default_yes_no 'BLACKLISTNEWONLY' , '';
default_yes_no 'DISABLE_IPV6' , '';
warning_message 'DISABLE_IPV6=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DISABLE_IPV6};
unsupported_yes_no 'DYNAMIC_ZONES'; unsupported_yes_no 'DYNAMIC_ZONES';
unsupported_yes_no 'BRIDGING'; unsupported_yes_no 'BRIDGING';

8
Shorewall/Perl/prog.functions
View File

@ -31,6 +31,14 @@ clear_firewall() {
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -n "$DISABLE_IPV6" ]; then
if qt mywhich ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
ip6tables -P FORWARD ACCEPT 2> /dev/null
fi
fi
run_clear_exit run_clear_exit
set_state "Cleared" set_state "Cleared"

22
Shorewall/Perl/prog.header
View File

@ -853,6 +853,28 @@ detect_gateway() # $1 = interface
[ -n "$gateway" ] && echo $gateway [ -n "$gateway" ] && echo $gateway
} }
#
# Disable IPV6
#
disable_ipv6() {
local foo
foo="$($IP -f inet6 addr list 2> /dev/null)"
if [ -n "$foo" ]; then
if qt mywhich ip6tables; then
ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -F
ip6tables -X
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
fi
}
# Function to truncate a string -- It uses 'cut -b -<n>' # Function to truncate a string -- It uses 'cut -b -<n>'
# rather than ${v:first:last} because light-weight shells like ash and # rather than ${v:first:last} because light-weight shells like ash and
# dash do not support that form of expansion. # dash do not support that form of expansion.

4
Shorewall/changelog.txt
View File

@ -1,8 +1,6 @@
Changes in Shorewall 4.4.0-Beta4 Changes in Shorewall 4.4.0-Beta4
1) Delete DISABLE_IPV6. 1) Add more macros.
2) Add more macros.
Changes in Shorewall 4.4.0-Beta3 Changes in Shorewall 4.4.0-Beta3

2
Shorewall/configfiles/shorewall.conf
View File

@ -137,6 +137,8 @@ DELAYBLACKLISTLOAD=No
MODULE_SUFFIX= MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No BRIDGING=No
DYNAMIC_ZONES=No DYNAMIC_ZONES=No

39
Shorewall/releasenotes.txt
View File

@ -109,17 +109,33 @@ Shorewall 4.4.0 Beta 4
As part of this change, the fallback.sh scripts are no longer As part of this change, the fallback.sh scripts are no longer
released. released.
9) The DISABLE_IPV6 option has been removed from Shorewall.conf. If
you need to control IPV6 traffic, install Shorewall6.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 4 P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 Beta 3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) The BGP and OSFP macros released in Beta 3 contained rules to allow 1) The BGP and OSFP macros released in Beta 3 contained rules to allow
administrative access to the related routing daemons. Those rules administrative access to the related routing daemons. Those rules
have been deleted. have been deleted.
2) Previously, if Address Type Match was not available and an
interface on the firewall was (mis-)configured as shown below, then
REJECT policies in Shorewall-perl would drop packets addressed to
the interface rather than reject them.
3: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 ...
inet 127.0.0.1/32 scope host venet0
inet 206.124.146.176/32 brd 206.124.146.176 ...
Note that a /32 should never be configured with a broadcast
address.
3) Due to a syntax ambiguity arising from the new dynamic zone
implementation, 'shorewall show dynamic' produced no output. It now
shows the contents of the dynamic blacklist as in earlier
Shorewall releases.
4) The 'findgw' script produced an error if VERBOSITY > 0.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -138,7 +154,7 @@ None.
macro.RIPbi macro.RIPbi
macro.mDNS macro.mDNS
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4 N E W F E A T U R E S IN 4 . 4
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -767,16 +783,3 @@ None.
26) A new extension script, 'lib.private' has been added. This file is 26) A new extension script, 'lib.private' has been added. This file is
intended to include declarations of shell functions that will be intended to include declarations of shell functions that will be
called by the other run-time extension scripts. called by the other run-time extension scripts.
27) Three new macros have been contributed by Alex Wilms.
macro.BGP
macro.Citrix
macro.OSPF
macro.Razor
28) The Shorewall compiler now checks for availability of the LOG
target if the configuration does any logging. This change involves
a new version of the capabilities file so users employing a
capabilties file should re-generate that file before trying to
start/restart Shorewall.