holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity
9,760 Commits 104 Branches 736 Tags 54 MiB
ad57272c7f
Commit Graph

1225 Commits

Author SHA1 Message Date
Tom Eastep
033d43b014 Implement undocumented dumpfilter extension file 2010-10-07 14:35:51 -07:00
Tom Eastep
f0ef27b3e5 Update version to RC1 2010-10-06 16:16:37 -07:00
Tom Eastep
3d90c63528 Improve validation and reporting in the net list processing. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-05 16:20:07 -07:00
Tom Eastep
a10ced2da2 Make exclusion of set lists more consistent 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-05 12:22:27 -07:00
Tom Eastep
7767d30c7c Improve error message 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-05 11:25:18 -07:00
Tom Eastep
587dacdae0 Allow set lists with "!" 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-05 08:38:30 -07:00
Tom Eastep
8fd221ef30 Refine source/dest network parsing in expand_rule() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-04 18:57:11 -07:00
Tom Eastep
e74f48410f Correct handling of exclusion with ipset lists 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-04 14:29:50 -07:00
Tom Eastep
cee05d9763 Refine -lite handling of scfilter. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-03 12:52:30 -07:00
Tom Eastep
432534a650 Eliminate need to restart -lite to extract scfilter 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-03 10:56:55 -07:00
Tom Eastep
b27fd07e9f Don't indent the embedded scfilter file. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-01 13:20:36 -07:00
Tom Eastep
ac71868cc1 Package the scfilter along with the generated script for -lite 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-01 10:59:15 -07:00
Tom Eastep
6e9fc12517 Update version to Beta 4 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-10-01 09:31:11 -07:00
Tom Eastep
1218ccf0cb More optimization performance improvements 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-30 14:15:19 -07:00
Tom Eastep
252a9f2205 More speedup of optimization level 8 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-29 13:30:10 -07:00
Tom Eastep
46f1074422 Reduce the cost of optimization substantially. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-29 11:54:39 -07:00
Tom Eastep
8017f603a0 Add progress message for each optimization pass. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-28 12:20:35 -07:00
Tom Eastep
6171d938f7 Correction to last change -- move two declarations to an outer block. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-28 12:20:06 -07:00
Tom Eastep
48c3200a5a Issue error message when required file is missing or has zero size. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-28 11:22:47 -07:00
Tom Eastep
68f537ac5b Bypass processing logic when an optional config file is absent. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-28 10:48:44 -07:00
Tom Eastep
47fbc83419 Don't add trailing whitespace to DNAT/REDIRECT target 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-28 09:27:42 -07:00
Tom Eastep
91aabfc078 Revise fix for extraneous progress messages 2010-09-27 16:18:11 -07:00
Tom Eastep
0109b8113a Prevent random progress messages during compilation. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-27 15:56:22 -07:00
Tom Eastep
75d50d126c Make zones with 'mss' complex. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-27 13:57:56 -07:00
Tom Eastep
f7eb3c3d8c Periodic elimination of trailing white space 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-27 11:16:18 -07:00
Tom Eastep
ac646930a3 Tighter validation of ipset names in the hosts file. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-26 08:36:27 -07:00
Tom Eastep
066c772fcd Correct minor issue with previous error message improvement change 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-26 08:28:25 -07:00
Tom Eastep
0becb39202 Bump version to Beta 3 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-26 08:15:32 -07:00
Tom Eastep
2828b65326 Improve error message generated when a token beginning with '+' reaches validate_net() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-26 07:56:55 -07:00
Tom Eastep
74f1cb2443 Mention maclist file in shorewall-ipsets(5) 2010-09-25 16:07:56 -07:00
Tom Eastep
f07ec1e9d3 Clean up untidiness where Shorewall6 tries to start on a system with an old kernel 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-25 08:46:14 -07:00
Tom Eastep
e018ee6adc Don't create <zone>_frwd when unnecessary 
- Set the zone {complex} flag based on ipsec options rather than the presense of any options.
- Generate forwarding blacklist rules in lieu of creating<zone>_frwd

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-24 15:25:57 -07:00
Tom Eastep
b5fdb089bc Fix syntax error in blacklist fix 2010-09-24 13:42:05 -07:00
Tom Eastep
0768235278 Correct blacklisting in simple configurations 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-24 13:41:54 -07:00
Tom Eastep
03161ed57d Bump version to 4.4.14 Beta 2 2010-09-23 19:33:37 -07:00
Tom Eastep
6702fbbd40 Make timestamps in log uniform 2010-09-23 07:40:27 -07:00
Tom Eastep
2c7b1b5d7b Add more comments 2010-09-22 15:26:01 -07:00
Tom Eastep
9d5642aedd Update Version to 4.4.14-Beta1 2010-09-21 11:34:26 -07:00
Tom Eastep
dbd7914ee6 More fiddling with move_rules() 
- Assert that the chain being moved has no blacklist jumps
- delete duplicate rules in case the destination chain has such a jump
 2010-09-20 18:00:39 -07:00
Tom Eastep
271154ed60 Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-20 09:45:48 -07:00
Tom Eastep
bde0a297f9 Misc cleanup for 4.4.13 
1. Replace statement with equivalent function call in promote_blacklist_rules()
2. Bump version of Tunnels.pm
3. Fix typo in comment in Zones.pm

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-20 09:45:38 -07:00
Tom Eastep
7baa1839cf Tighen up parsing of bracketed lists -- Take 2 2010-09-20 07:24:22 -07:00
Tom Eastep
f64993fe40 Tighen up parsing of bracketed lists 2010-09-20 07:05:23 -07:00
Tom Eastep
9335ef5745 Don't allow '*' in interface names 2010-09-19 15:10:21 -07:00
Tom Eastep
25ca73ca54 Support alternative syntax for ipet lists 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-19 13:22:12 -07:00
Tom Eastep
9111540a7f Support ipset lists 2010-09-19 12:36:20 -07:00
Tom Eastep
35a686eaa1 Add delete_reference() function. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-19 08:28:29 -07:00
Tom Eastep
9ba82bec1f Add warning about redundant 'blacklist' option 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-19 08:28:05 -07:00
Tom Eastep
e06ca34298 Add redundancy warning re 'blacklst' 2010-09-19 08:03:01 -07:00
Tom Eastep
b3d6ae78ba Add redundancy warning re 'blacklst' 2010-09-19 07:57:36 -07:00
Tom Eastep
c0382b8cb9 Adjust reference count in move rules. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 15:11:17 -07:00
Tom Eastep
ce9b5ee944 Make blacklist rule promotion much more effecient. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 13:35:24 -07:00
Tom Eastep
74abd4ad54 In copy_rules(), handle the unlikely case where both chains have blacklist jumps. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 12:26:07 -07:00
Tom Eastep
f7db24f756 Merge branch '4.4.13' 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 09:29:50 -07:00
Tom Eastep
f25b9e1967 Allow :<port> in tcfilters 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 09:26:29 -07:00
Tom Eastep
0e9c704069 Don't scan the filter table for jumps to 'blacklst' if the 'blacklst' chain does not exist 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:42:21 -07:00
Tom Eastep
c3299d5f89 Enable blacklist rule promotion 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:38:22 -07:00
Tom Eastep
6f0893cd7a Correct Chains::promote_blacklist_rules() 
- Interate through chains that jump to 'blacklst' until no rule is promoted
  This is required to promote jumps past exclusion chains
- Correct reference counting; the first cut was horribly wrong

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:38:14 -07:00
Tom Eastep
c040344bc1 Promote 'in' blacklist rules to the head of the interface chain 
- Added Chains::promote_blacklist_rules()
- Called the function from Rules::generate_matrix()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:38:02 -07:00
Tom Eastep
2fa16f6d08 Enable blacklist rule promotion 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:36:59 -07:00
Tom Eastep
578fc6c521 Correct Chains::promote_blacklist_rules() 
- Interate through chains that jump to 'blacklst' until no rule is promoted
  This is required to promote jumps past exclusion chains
- Correct reference counting; the first cut was horribly wrong

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 08:36:35 -07:00
Tom Eastep
fd6ff1849a Promote 'in' blacklist rules to the head of the interface chain 
- Added Chains::promote_blacklist_rules()
- Called the function from Rules::generate_matrix()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-18 07:37:42 -07:00
Tom Eastep
fd568ece47 Clear raw table on 'clear' 2010-09-17 17:43:57 -07:00
Tom Eastep
1588c700c5 Fix blacklisting vs vservers 2010-09-17 17:43:40 -07:00
Tom Eastep
6106dd3ada Zero out {frozen} in a deleted chain entry 2010-09-17 17:43:04 -07:00
Tom Eastep
580c561a51 Clear raw table on 'clear' 2010-09-17 17:12:34 -07:00
Tom Eastep
a42576aef8 Fix blacklisting vs vservers 2010-09-17 16:38:34 -07:00
Tom Eastep
79bb47582a Zero out {frozen} in a deleted chain entry 2010-09-17 16:00:36 -07:00
Tom Eastep
596d207dfc Simplify a test 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 15:43:56 -07:00
Tom Eastep
8cdbe5f88d Fix an optimization bug with the new blacklisting code 2010-09-17 15:43:47 -07:00
Tom Eastep
402b3b929e Restore trace output in move_rules() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 15:43:03 -07:00
Tom Eastep
c5bb3ecfac Simplify a test 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 15:42:05 -07:00
Tom Eastep
c9e876fcf5 Fix an optimization bug with the new blacklisting code 2010-09-17 15:10:02 -07:00
Tom Eastep
85430e459c Restore trace output in move_rules() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 14:35:25 -07:00
Tom Eastep
ad660d7fe5 Simplify move_rules() 2010-09-17 13:53:10 -07:00
Tom Eastep
3d0f8e962e Simplify move_rules() 2010-09-17 13:49:32 -07:00
Tom Eastep
7a6943fa54 Disallow mss and blacklist on firewall and vserver zones 2010-09-17 12:54:58 -07:00
Tom Eastep
b76ee408a5 Emit clearer error messages 2010-09-17 12:54:54 -07:00
Tom Eastep
2e3635ff50 Be sure that {frozen} is defined 2010-09-17 12:54:44 -07:00
Tom Eastep
ab78aac3a4 Disallow mss and blacklist on firewall and vserver zones 2010-09-17 12:46:38 -07:00
Tom Eastep
330afe1701 Emit clearer error messages 2010-09-17 12:35:34 -07:00
Tom Eastep
239b4a2356 Be sure that {frozen} is defined 2010-09-17 12:08:48 -07:00
Tom Eastep
7175f8a63e Revert versions on Rules and Zones modules 2010-09-17 11:08:45 -07:00
Tom Eastep
d898c87617 Eliminate a parameter to add_jump() 2010-09-17 11:08:12 -07:00
Tom Eastep
07930fc535 Revert versions on Rules and Zones modules 2010-09-17 11:06:32 -07:00
Tom Eastep
5357f4c347 Eliminate a parameter to add_jump() 2010-09-17 11:05:35 -07:00
Tom Eastep
af24baaecd Update version to RC1 (one more time) 2010-09-17 09:14:56 -07:00
Tom Eastep
e61230a3db Update version to Beta 6 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-17 08:23:24 -07:00
Tom Eastep
882970a598 Use state match for UNTRACKED 2010-09-17 07:58:21 -07:00
Tom Eastep
2ce3c8aa88 Ensure that blacklist rules are before the other interface-oriented rules 2010-09-16 18:19:16 -07:00
Tom Eastep
27c445381e Treat 'blacklist' uniformly in hosts and zones 2010-09-16 15:48:12 -07:00
Tom Eastep
1c870b532a Preserve dynamic blacklist during stop/clear/restore 2010-09-16 12:17:04 -07:00
Tom Eastep
a8c9fc1859 Implement new Blacklisting Scheme 2010-09-16 09:40:28 -07:00
Tom Eastep
3c1cff0794 First steps toward zone-based blacklisting 2010-09-16 06:55:48 -07:00
Tom Eastep
1d650b41cd Remove blacklisting by destination IP address support 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 15:24:58 -07:00
Tom Eastep
3ad3f0d9e0 Allow floating point numbers in tcinterfaces fields other than <rate> 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 14:07:21 -07:00
Tom Eastep
ba89ec39b5 Add :<burst> to /etc/shorewall/tcdevices 2010-09-15 11:56:14 -07:00
Tom Eastep
69a2fa1907 Replace to/from with dst/src 2010-09-15 11:25:46 -07:00
Tom Eastep
f925b335ef Ignore the 'blacklist' host option 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 08:10:57 -07:00
Tom Eastep
373fc87165 More blacklisting wrapup 
- Deprecate 'blacklist' in the hosts file
- Base blacklisting on interfaces alone

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-15 07:38:20 -07:00
Tom Eastep
4d0e8d129b Add dup blacklist message 2010-09-14 18:04:27 -07:00
Tom Eastep
10a9ae496a More manpage updates for 4.4.13 2010-09-14 16:47:45 -07:00
Tom Eastep
94cdc73ec2 Restore setpolicy() to prog.header* 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-14 13:50:22 -07:00
Tom Eastep
c4a40d8c7b Set version to RC1 (again) 2010-09-14 13:09:50 -07:00
Tom Eastep
1f2691b052 Another fix for blacklisting; correct composition of $hosts1 2010-09-14 06:47:29 -07:00
Tom Eastep
0f913fca2f Don't create blackout unnecessarily 2010-09-13 18:15:50 -07:00
Tom Eastep
82bccf16b5 Avoid internal error when there are no 'to' entries 2010-09-13 17:55:20 -07:00
Tom Eastep
b1e9bff382 Create new ipsets on 'start' 2010-09-13 15:46:04 -07:00
Tom Eastep
a6194fabd2 Delete blank line 2010-09-13 14:15:47 -07:00
Tom Eastep
33adbe7a27 Update documentation for net TC features 2010-09-13 13:51:25 -07:00
Tom Eastep
1729da87f1 Allow both 'to' and 'from' in blacklist 2010-09-13 12:51:10 -07:00
Tom Eastep
9b4c3e22dd Allow floating point numbers in TC rates 2010-09-13 12:50:50 -07:00
Tom Eastep
cb1f7adea3 Add :<burst> to IN-BANDWIDTH 2010-09-13 11:23:37 -07:00
Tom Eastep
283eda2fa5 Cosmetic change to OUT-BANDWIDTH code 2010-09-12 16:33:19 -07:00
Tom Eastep
bd9041306c Add undocumented OUT-BANDWIDTH column to tcinterfaces 2010-09-12 16:25:45 -07:00
Tom Eastep
a3b7b9c11b Delete unused functions from prog.header* 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-12 10:07:26 -07:00
Tom Eastep
931c5a8d0a Add an assertion 2010-09-11 16:24:27 -07:00
Tom Eastep
50fc972d2a Fix another SAME defect :-( 2010-09-11 16:15:09 -07:00
Tom Eastep
512cd7b08e Bump version to 4.4.13 RC 1 2010-09-11 15:46:14 -07:00
Tom Eastep
aad7b70e18 Rename constant 2010-09-11 15:31:43 -07:00
Tom Eastep
c6c6503d83 Clean up a remaining issue with SAME 2010-09-11 15:24:01 -07:00
Tom Eastep
f004916055 Disallow a DEST interface in mangle OUTPUT rules 2010-09-11 14:10:05 -07:00
Tom Eastep
3ea7808b38 Disallow a DEST interface in mangle PREROUTING rules 2010-09-11 14:02:09 -07:00
Tom Eastep
e93a7fe9df Avoid recent problems by not padding $target in process_tc_rule() 2010-09-11 11:03:28 -07:00
Tom Eastep
d9ced1051a One more fix for SAME 2010-09-11 10:35:45 -07:00
Tom Eastep
367fc041b8 Correct handling of SAME -- Take 2 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-11 09:36:19 -07:00
Tom Eastep
dbc9f6ac8f Correct handling of SAME 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-11 08:56:22 -07:00
Tom Eastep
8dd42c9e19 Correct handling of dst/src list in ipset invocation 2010-09-11 07:41:01 -07:00
Tom Eastep
99f8f84024 Fix name of F chain in secmarks 2010-09-10 16:45:22 -07:00
Tom Eastep
69817007bf Some more fixes for blacklisting 2010-09-09 14:53:12 -07:00
Tom Eastep
50300a60b7 A number of corrections to split blacklisting. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-09 11:20:49 -07:00
Tom Eastep
64544f4ab5 Correct comparison in 'blacklist' handling 2010-09-09 10:22:48 -07:00
Tom Eastep
cd4b5d80ed Reduce patch footprint by two lines 2010-09-09 09:00:28 -07:00
Tom Eastep
df1e17eaa8 Re-enable 'blacklist' on bridge ports 2010-09-09 07:09:08 -07:00
Tom Eastep
50b4bd8dfe More Blacklist and Secmark documentation updates 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-06 17:26:49 -07:00
Tom Eastep
f3255cd83a Rework blacklisting 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-06 15:29:20 -07:00
Tom Eastep
c6f58ba924 Enhance SELinux support: 
- Add state match
- Add user/group match
- Add examples to the man pages
 2010-09-06 09:06:40 -07:00
Tom Eastep
33dc8de8fb Allow dash's in ipset names 2010-09-05 11:41:35 -07:00
Tom Eastep
23e94e136c Allow COMMENT, SAVE and RESTORE to work correctly in secmarks 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-05 08:17:58 -07:00
Tom Eastep
629290259d Allow secmarks without TC_ENABLED 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-05 07:49:03 -07:00
Tom Eastep
b139ff7e90 Update docs and implementation of SECMARK 2010-09-04 16:08:29 -07:00
Tom Eastep
28ff3548ff Bump version to 4.4.13-Beta4 2010-09-04 15:30:02 -07:00
Tom Eastep
15d8d6d8b7 Add SECMARK and CONNSECMARK support 2010-09-04 15:12:08 -07:00
Tom Eastep
6caff51c98 Modify a comment are delete a silly identity assignment 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-09-01 11:24:19 -07:00
Tom Eastep
62fcf1ae8b Adjust version of Raw.pm 2010-08-31 16:52:48 -07:00
Tom Eastep
dfebe5a35e Correct error message 2010-08-31 16:33:15 -07:00
Tom Eastep
8f94137007 Fix last change 2010-08-30 16:47:45 -07:00
Tom Eastep
1da6d51d1a Reduce the Beta3 patch footprint by making the second arg to known_interface() optional 2010-08-30 16:43:30 -07:00
Tom Eastep
add76ed14e Bump version to 4.4.13 Beta 3 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-30 12:33:10 -07:00
Tom Eastep
7f0f4516d7 Rework handle_optional_interfaces() somewhat 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-30 12:29:39 -07:00
Tom Eastep
c18d206726 Use a function to generate the list of interfaces with an L3 address 2010-08-29 20:13:56 -07:00
Tom Eastep
57c54af6ed Re-implement optional interface handling 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-29 12:32:44 -07:00
Tom Eastep
d94f2cc86d Insure that the mapping to base names is deterministic 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-29 07:28:06 -07:00
Tom Eastep
be0231578f Insure uniqueness of chain_base mapping 2010-08-28 20:47:39 -07:00
Tom Eastep
95a09b996f Fix test for KLUDGEFREE 2010-08-28 20:47:15 -07:00
Tom Eastep
1531ad3bcd Re-implement interface->shell-variable mapping 2010-08-28 15:15:41 -07:00
Tom Eastep
3a36a9de4b Fix shell-variable creation 2010-08-28 14:48:47 -07:00
Tom Eastep
d8846b92d8 Fix optional 'upnpclient' interfaces - take 2 2010-08-28 14:46:29 -07:00
Tom Eastep
a440e7023e Fix optional 'upnpclient' interfaces 2010-08-28 14:18:48 -07:00
Tom Eastep
f45879c4f4 split_list1 removes () -- take 2 2010-08-28 13:40:44 -07:00
Tom Eastep
2a54e8cd24 split_list1 removes () 2010-08-28 13:37:19 -07:00
Tom Eastep
c2558af9c8 Document and correct implementation of EXCLUSION_MASK 
1. Require KLUDGEFREE if existing rule uses mark match
2. Pretty up the code
3. Use MASK_BITS rather than TC_BITS when calculating the offset of EXCLUSION_MASK

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-28 08:29:47 -07:00
Tom Eastep
c98cf8aea6 Re-implement exclusion in CONTINUE/NONAT/ACCEPT+ rules 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-27 10:09:42 -07:00
Tom Eastep
57bcfee559 Add 'Mark in any table' capability 2010-08-27 08:35:33 -07:00
Tom Eastep
a1cd2ba0f3 Bring 'multiple space before comment' fix forward to master 
Probably unneeded but better be safe

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-27 06:59:52 -07:00
Tom Eastep
12f48e1b97 Don't pass '-j' in target arg to expand_rule() 
- use the target to locate chain for reference tracking

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-26 10:37:07 -07:00
Tom Eastep
15fbbdaac7 Fix exclusion in blacklist 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-26 10:33:57 -07:00
Tom Eastep
bd8bcabdf0 Use the 'disposition' argument to expand_rule() to specify the target chain 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-26 08:40:24 -07:00
Tom Eastep
75e12148ac Bump version to Beta 2 2010-08-25 09:58:07 -07:00
Tom Eastep
4a865e0a6d Pretty up some come 2010-08-24 13:08:21 -07:00
Tom Eastep
91c5a2f80b Fix old ipset detection bug 2010-08-24 13:08:06 -07:00
Tom Eastep
5c49aa843c Generate warning when a rules file entry generates no iptables-restore input 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-24 08:38:49 -07:00
Tom Eastep
383e792807 Restore wildcard properties to zone lists 2010-08-24 06:52:53 -07:00
Tom Eastep
5a92c3262f Fix REQUIRE_INTERFACE=Yes 2010-08-23 17:19:41 -07:00
Tom Eastep
d74af30368 Fix zone-exclusion bug 2010-08-23 16:31:46 -07:00
Tom Eastep
160ad231df Fix an old optimization bug 2010-08-23 15:14:09 -07:00
Tom Eastep
335ac8cdca Improve IPSEC accounting. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-20 10:07:19 -07:00
Tom Eastep
e70d9c82d8 Revise and document IPSEC Accounting 
- Place accounting rules in accipsecin and accipsecout
- Add warning when rule inserted into unreferenced accounting chain
- Add warning when an accounting chain has no references

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-20 08:24:45 -07:00
Tom Eastep
33ee9b1481 Add IPSEC Accounting (again) 2010-08-20 06:53:31 -07:00
Tom Eastep
d9d31ff132 Remove another 'our' variable 2010-08-19 15:34:04 -07:00
Tom Eastep
c80b1b3585 Correct types in do_ipsec() 2010-08-19 15:33:49 -07:00
Tom Eastep
af77eb08bc Back out IPSEC accounting rules 2010-08-19 15:13:01 -07:00
Tom Eastep
2a9bbbfe62 Eliminate an ugly 'our' variable. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-19 12:00:52 -07:00
Tom Eastep
676da7a2f1 More reorganization of process_rule() 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-19 11:53:26 -07:00
Tom Eastep
d997ef1653 First cut at IPSEC support in the accounting file. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-19 11:46:26 -07:00
Tom Eastep
4322d7b2af Zone exclusion 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-18 16:10:58 -07:00
Tom Eastep
4460b49842 Complete Zone list Support 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-18 14:38:53 -07:00
Tom Eastep
fafb0dea73 Update version to 4.4.13-Beta1 2010-08-18 12:40:34 -07:00
Tom Eastep
255cd6cf9c Implement zone lists in rules file entries 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-18 12:18:58 -07:00
Tom Eastep
7a17b65368 Allow simple zone lists in rules 2010-08-18 07:26:38 -07:00
Tom Eastep
12aecdef37 Use '&' trick to avoid prototype matching 2010-08-17 09:17:25 -07:00
Tom Eastep
a0dffa787d Add an assertion 2010-08-16 19:17:44 -07:00
Tom Eastep
2919c48ba0 Avoid forward reference to ensure_chain() 2010-08-16 13:25:01 -07:00
Tom Eastep
00837ed503 Add Shorewall::Chains::find_chain() 2010-08-16 13:12:12 -07:00
Tom Eastep
633eba6c90 Set version to 4.4.12 2010-08-15 08:50:45 -07:00
Tom Eastep
1510e111c4 Fix typo in conf basics doc 2010-08-13 20:27:14 -07:00
Tom Eastep
7281c9166e Record the config directory in the state file 2010-08-12 17:54:07 -07:00
Tom Eastep
15eec24672 Simplify logic for generating all parent zones 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-12 15:15:19 -07:00
Tom Eastep
49053afdcb Fix port range validate issue 2010-08-12 09:49:26 -07:00
Tom Eastep
69eaf84078 Fix bug with 'any' 2010-08-12 07:31:37 -07:00
Tom Eastep
965ad7ced1 Minor tweaks to the IPAddrs module 2010-08-11 11:46:26 -07:00
Tom Eastep
0234564a1b Add destination IP blacklisting 2010-08-10 17:33:50 -07:00
Tom Eastep
8d4498c9b8 Update Version to 4.4.12 RC 1 2010-08-06 19:31:36 -07:00
Tom Eastep
0f02ee2628 Fix issue with set match generation 2010-08-06 10:17:54 -07:00
Tom Eastep
364ad41cf5 Add support for new ipset match syntax 2010-08-03 21:06:17 -07:00
Tom Eastep
2774ee1bd6 Make 'icmp' a synonym for 'ipv6-icmp' in IPv6 compilations 2010-08-02 08:04:55 -07:00
Tom Eastep
3ce8ff5741 Bump version to Beta 4 2010-08-01 16:10:32 -07:00
Tom Eastep
967629569b Taylor Universal config to work with Shorewall-init and streamline ruleset 
- Make interface 'all' optional and set REQUIRE_INTERFACE=Yes
- Add COMPLETE option
- Set FASTACCEPT in Universal samples
- Reset SUBSYSLOCK in Universal samples

Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-08-01 08:36:56 -07:00
Tom Eastep
a88e2afa69 Tweak the Universal documentation 2010-07-31 18:43:54 -07:00
Tom Eastep
0b3dfcc844 Revert version to Beta 3 2010-07-31 13:23:53 -07:00
Tom Eastep
fdcc263023 Fix a couple of minor bugs 2010-07-31 13:11:46 -07:00
Tom Eastep
0174045181 Fixes for Universal Sample 2010-07-31 10:49:49 -07:00
Tom Eastep
beeeb6efbc Allow '+' as a physical interface 2010-07-31 10:08:45 -07:00
Tom Eastep
fdeb9006fa Correct module versions 2010-07-31 09:02:51 -07:00
Tom Eastep
005b6f7b45 Use new hashlimit match syntax if available 2010-07-31 07:19:41 -07:00
Tom Eastep
637cfdaa14 Handle case where old hashlimit match is no longer supported 2010-07-29 17:14:36 -07:00
Tom Eastep
e598dc77b7 Correct/improve LOGLIMIT handling 2010-07-29 16:50:17 -07:00
Tom Eastep
a639b75e36 Bump version to RC1 2010-07-29 11:40:15 -07:00
Tom Eastep
6a1fea3a40 Add 'user marks' 2010-07-27 11:02:36 -07:00
Tom Eastep
f1a8da61bc Use global log rate limiting, if any, for synflood logging 2010-07-26 14:58:38 -07:00
Tom Eastep
bd5facda30 Implement per-IP log rate limiting 2010-07-25 12:42:39 -07:00
Tom Eastep
9bf06caa35 Bump version to Beta 2 2010-07-25 08:11:49 -07:00
Tom Eastep
1528cc2094 Correct RE in split_action() 2010-07-24 11:50:10 -07:00
Tom Eastep
e956068959 Make default setting of MANGLE_ENABLED depend on the capability with the same name 2010-07-24 09:27:21 -07:00
Tom Eastep
e5a7d2ae69 Fix syntax error in generated script 2010-07-23 11:24:42 -07:00
Tom Eastep
9eedf155bc Fix syntax error in generated script 2010-07-23 11:23:23 -07:00
Tom Eastep
3248fc8ab1 Add additional progress messages to updown() 2010-07-22 15:11:19 -07:00
Tom Eastep
49a8861f5b Pretty up the code 2010-07-22 13:57:34 -07:00
Tom Eastep
7db9645225 Avoid an extra blank line 2010-07-22 13:51:47 -07:00
Tom Eastep
666cc35b46 Don't slow down stop with 'wait' 2010-07-22 12:56:49 -07:00
Tom Eastep
4e33efd8a6 Allow :random to work with REDIRECT 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-07-22 07:26:38 -07:00
Tom Eastep
8959245375 Update version to 4.4.12-Beta1 2010-07-21 20:35:36 -07:00
Tom Eastep
411d392ccd Additional progress messages during up/down processing 2010-07-21 20:35:03 -07:00
Tom Eastep
d897635af5 Allow bizarre overriding of SOURCE/DEST with ipsets 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-07-20 16:03:12 -07:00
Tom Eastep
1de257be19 Make ADD and DELETE work with any type of ipset. 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-07-20 15:42:11 -07:00
Tom Eastep
79128605b1 Validate all IPSET Names 2010-07-18 17:18:10 -07:00
Tom Eastep
cbb524b067 Implement ADD/DEL commands 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-07-18 08:46:38 -07:00
Tom Eastep
d99aff5e09 Use Perl Constants rather literals for IPv6 Networks 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-07-16 10:06:29 -07:00
Tom Eastep
17bdcc1360 Eradicate incorrect multicast network address 2010-07-16 09:33:17 -07:00
Tom Eastep
b52b7c422f Drop multicast and anycast in Drop and Reject actions 2010-07-12 16:44:34 -07:00
Tom Eastep
c1b212225e Use uniform coding style in latest changes 2010-07-12 13:07:11 -07:00
Tom Eastep
328e1b7f6a Don't generate rules to link local net from vserver zones 2010-07-12 12:39:51 -07:00
Tom Eastep
59189d6324 Don't generate rules from link local net to vserver zones 2010-07-12 11:52:56 -07:00
Tom Eastep
4792d1e5f1 Fix nets= in Shorewall6 2010-07-11 19:52:18 -07:00
Tom Eastep
5a5546ef1b Set version to 4.4.11 2010-07-09 09:01:08 -07:00
Tom Eastep
d0c1c3d69c Change comment to clarify assumption about function arguments 2010-07-08 17:45:18 -07:00
Tom Eastep
9eca7fb37b Simplify logic in loopback helper functions 2010-07-08 17:11:27 -07:00
Tom Eastep
591a4bc7f6 Revert version of modules with only whitespace changes; rename a couple of functions for clarity 2010-07-07 06:43:07 -07:00
Tom Eastep
02fab09a14 Add PERL= option to shorewall.conf and shorewall6.conf 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
 2010-07-05 13:11:52 -07:00
Tom Eastep
31a9d24164 Fix missing quote when REQUIRE_INTERFACE=Yes 2010-07-05 09:47:03 -07:00