Update for 4.4.4.3, if needed

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.4
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -100,6 +100,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Tue Dec 08 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-3
+* Sun Dec 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-2
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-1
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Config.pm

@@ -327,7 +327,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.4",
+		    VERSION => "4.4.4.3",
 		    CAPVERSION => 40402 ,
 		  );
 
@@ -1908,7 +1908,7 @@ sub load_kernel_modules( ) {
 
 	close LSMOD;
 
-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
 
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
 
@@ -2029,7 +2029,13 @@ sub determine_capabilities( $ ) {
     $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
     $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
     $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
-    $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
+    
+    if ( $family == F_IPV6 ) {
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
+    } else {
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
+    }
+
     $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
 
     $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';
 
 #
 # Some IPv4/6 useful stuff
@@ -302,7 +302,7 @@ sub validate_port( $$ ) {
     my $value;
 
     if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port <= 65535;
+	return $port if $port && $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
@@ -485,16 +485,16 @@ sub valid_6address( $ ) {
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 
-    if ( $address =~ /^:/ ) {
-	unless ( $address eq '::' ) {
-	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
-	}
-    } elsif ( $address =~ /:$/ ) {
-	return 0 if $address =~ /::.*:$/;
+    unless ( $address =~ /^::/ ) {
+	return 0 if $address =~ /^:/;
     }
 
+    unless ( $address =~ /::$/  ) {
+	return 0 if $address =~ /:$/;
+    }
+		 
     for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
     }
 
     1;
@@ -543,13 +543,27 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
     my $addr = shift;
 
-    while ( $addr =~ tr/:/:/ < 6 ) {
-	$addr =~ s/::/:0::/;
+    if ( $addr eq '::' ) {
+	'0:0:0:0:0:0:0:0';
+    } else {
+	#
+	# Suppress leading zeros
+	#
+	$addr =~ s/^0+//;
+	$addr =~ s/:0+/:/g;
+	$addr =~ s/^:/0:/;
+	$addr =~ s/:$/:0/;
+
+	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
+	#
+	# Note: "s/::/:0:/g" doesn't work here
+	#
+	1 while $addr =~ s/::/:0:/;
+
+	$addr =~ s/^0+:/0:/;
+	
+	$addr;
     }
-
-    $addr =~ s/::/:0:/;
-
-    $addr;
 }
 
 sub validate_6range( $$ ) {
@@ -573,7 +587,7 @@ sub validate_6range( $$ ) {
 }
 
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = $_[0];
+    my ( $host, $allow_name )  = @_;
 
     if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;

Shorewall/Perl/Shorewall/Rules.pm

@@ -322,7 +322,7 @@ sub process_routestopped() {
 
 	$seq++;
 
-	my $rule = do_proto( $proto, $ports, $sports, 1 );
+	my $rule = do_proto( $proto, $ports, $sports, 0 );
 
 	for my $host ( split /,/, $hosts ) {
 	    validate_host $host, 1;
@@ -2316,7 +2316,7 @@ EOF
 	}
     } else {
 	for my $interface ( all_bridges ) {
-	    emit "do_iptables -A FORWARD -p 58 " . match_source_interface( $interface ) . match_dest_interface( $interface ) . "-j ACCEPT";
+	    emit "do_iptables -A FORWARD -p 58 " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "-j ACCEPT";
 	}
 
 	if ( $config{IP_FORWARDING} eq 'on' ) {

Shorewall/changelog.txt

@@ -1,3 +1,23 @@
+Changes in Shorewall 4.4.4.3
+
+1)  Fix DONT_LOAD vs 'reload -c'
+
+Changes in Shorewall 4.4.4.2
+
+1)  Disallow port 0
+
+2)  Improve IPv6 address validation and range checking.
+
+3)  Correct Shorewall6 capabilities detection.
+
+4)  Correct handling of DNS names in IPv6.
+
+Changes in Shorewall 4.4.4.1
+
+1)  Fix 15-port change.
+
+2)  Fix handling of interfaces with the 'bridge' option.
+
 Changes in Shorewall 4.4.4
 
 1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,45 @@
-There are no known problems in Shorewall version 4.4.3
+1)  The change which removed the 15 port limitation on
+    /etc/shorewall/routestopped was incomplete. The result is that if
+    more than 15 ports are listed, an error is generated.
+
+    This problem is corrected in Shorewall 4.4.4.1.
+
+2)  If any interfaces have the 'bridge' option specified, compilation
+    fails with the error:
+
+    Undefined subroutine &Shorewall::Rules::match_source_interface called 
+    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
+
+    This problem is corrected in Shorewall 4.4.4.1.
+
+3)  The 'show policies' command doesn't work in Shorewall6 and
+    Shorewall6-lite.
+
+    This problem is corrected in Shorewall 4.4.4.2.
+
+4)  In some contexts, DNS names are not accepted by Shorewall6.
+
+    This problem is corrected in Shorewall 4.4.4.2.
+
+5)  An iptables-restore error can occur if port 0 is specified in some
+    contexts. 
+
+    In Shorewall 4.4.4.2, port 0 is flagged as an error in all
+    contexts.
+
+6)  The Shorewall6-lite shorecap program is including the wrong
+    library. Also, Shorewall6 capabilities detection is determining the
+    presense of the mangle table before it ensures that ip6tables can
+    be located.
+
+    Fixed in Shorewall6 4.4.4.2 and Shorewall6-lite 4.4.4.2.
+
+7)  The command 'shorewall reload -c <host>' ignores the setting of
+    DONT_LOAD, causing unwanted modules to be loaded.
+
+    This defect is corrected in Shorewall 4.4.4.3.
+
+
+ 
+
+

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.4
+Shorewall 4.4.4 Patch Release 2
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -169,9 +169,45 @@ Shorewall 4.4.4
     now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
     then it may have no additional members in /etc/shorewall/hosts.
 
-13) Because the 'track' provider option is so useful, it is now the
-    default. If, for some reason, you don't want 'track' then specify
-    'notrack' for the provider.
+---------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4 . 3
+----------------------------------------------------------------------------
+
+1)  The command 'shorewall reload -c <host>' ignored the DONT_LOAD
+    setting with the result that unwanted modules could be loaded. The
+    'reload' command without the '-c' option worked correctly.
+
+---------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Previously, DNS names were not accepted in some contexts by
+    Shorewall6.
+
+2)  Validation of IPv6 addresses has been improved and now catches more
+    invalid addresses.
+
+3)  Previously, port 0 was accepted in all contexts with the result
+    that iptables-restore errors could occur. Port 0 is now flagged as
+    an error.
+
+4)  The Shorewall6-lite shorecap program was including the wrong
+    library. Also, Shorewall6 is determining the availablity of the
+    mangle table before it ensures that ip6tables is installed. 
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  The change which removed the 15 port limitation on
+    /etc/shorewall/routestopped was incomplete. The result was that if
+    more than 15 ports are listed, an error was generated.
+
+2)  If any interfaces have the 'bridge' option specified, compilation
+    fails with the error:
+
+    Undefined subroutine &Shorewall::Rules::match_source_interface called 
+    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
 
 ----------------------------------------------------------------------------
           P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4

Shorewall/shorewall

@@ -1231,8 +1231,10 @@ reload_command() # $* = original arguments less the command.
 	    ensure_config_path
 	fi
 
+	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
     fi

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.4
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -106,6 +106,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
+* Tue Dec 08 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-3
+* Sun Dec 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-2
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-1
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorecap

@@ -45,17 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 
-SHAREDIR=/usr/share/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
-CONFDIR=/etc/shorewall-lite
+SHAREDIR=/usr/share/shorewall6-lite
+VARDIR=/var/lib/shorewall6-lite
+CONFDIR=/etc/shorewall6-lite
 PRODUCT="Shorewall Lite"
 
-. /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/configpath
+. /usr/share/shorewall6-lite/lib.base
+. /usr/share/shorewall6-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-VERSION=$(cat /usr/share/shorewall-lite/version)
+VERSION=$(cat /usr/share/shorewall6-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.4
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -91,6 +91,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Tue Dec 08 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-3
+* Sun Dec 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-2
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-1
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6/lib.base

@@ -696,8 +696,6 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
-    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
     CONNTRACK_MATCH=
     NEW_CONNTRACK_MATCH=
     OLD_CONNTRACK_MATCH=
@@ -747,6 +745,8 @@ determine_capabilities() {
 	exit 1
     fi
 
+    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+    
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     if ! $IP6TABLES -N $chain; then

Shorewall6/lib.cli

@@ -511,6 +511,12 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+	policies)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo
+	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall6 ]; then
 		case $1 in

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.4
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -95,6 +95,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Tue Dec 08 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-3
+* Sun Dec 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-2
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-1
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.4
+VERSION=4.4.4.3
 
 usage() # $1 = exit status
 {