Make ipset-based dynamic blacklisting work in the FORWARD chain

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct a warning message
2016-06-13 15:03:09 -07:00 · 2016-06-13 15:03:03 -07:00 · 2016-06-09 09:12:13 -07:00 · 2016-06-08 15:56:56 -07:00 · 2016-06-08 15:40:48 -07:00 · 2016-06-08 15:40:36 -07:00
37 changed files with 418 additions and 130 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -753,6 +753,7 @@ version_command() {
    local all
    all=
    local product
    local compiletime
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -795,8 +796,16 @@ version_command() {
 	done
 	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
-	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
+	    compiletime=$(run_it $g_firewall info 2>/dev/null)
-	    $g_firewall version
+
 	    case $compiletime in
 		compiled\ *)
 		    echo "$g_firewall was $compiletime"
 		    ;;
 		*)
 		    echo "$g_firewall was compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
    else
 	echo $SHOREWALL_VERSION
@@ -1523,6 +1532,49 @@ dump_filter_wrapper() {
    eval dump_filter $g_pager
 }
 show_status() {
    local compiletime
    local state
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    compiletime=$(run_it $g_firewall info 2>/dev/null)
 	    case $compiletime in
 		compiled\ *)
 		    state="$state ($g_firewall $compiletime)"
 		    ;;
 		*)
 		    state="$state ($g_firewall compiled by Shorewall version $(run_it $g_firewall version))"
 		    ;;
 	    esac
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 #
 # Dump Command Executor
 #
@@ -3323,47 +3375,6 @@ report_capabilities1() {
    report_capabilities_unsorted1 | sort
 }
 show_status() {
    local compiletime
    if product_is_started ; then
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
 	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi
    if [ -f ${VARDIR}/state ]; then
 	state="$(cat ${VARDIR}/state)"
 	case $state in
 	    Stopped*|Closed*|Clear*)
 		status=3
 		;;
 	esac
    else
 	state=Unknown
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	if [ -f $g_firewall ]; then
 	    compiletime=$($g_firewall date)
 	    case $compiletime in
 		Usage*)
 		    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
 		    ;;
 		*)
 		    state="$state ($g_firewall compiled $compiletime by Shorewall version $($g_firewall version))"
 		    ;;
 	    esac
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 interface_status() {
    case $(cat $1) in
 	0)
@@ -4549,6 +4560,11 @@ shorewall_cli() {
 		    # It's a shell function -- call it
 		    #
 		    $@
 		elif type $1 2> /dev/null | fgrep -q 'is a shell function'; then
 		    #
 		    # It's a shell function -- call it
 		    #
 		    $@
 		else
 		    #
 		    # It isn't a function visible to this script -- try
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -712,9 +712,9 @@ find_file()
 set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+	echo "$1 $(date) from $2" > ${VARDIR}/state
    else
-	echo "$1 ($(date))" > ${VARDIR}/state
+	echo "$1 $(date)" > ${VARDIR}/state
    fi
 }
@@ -776,7 +776,7 @@ mutex_on()
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
-	    elif ! qt ps p ${lockpid}; then
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
@@ -788,10 +788,8 @@ mutex_on()
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	elif qt mywhich lock; then
-            lock -${MUTEX_TIMEOUT} -r1 ${lockf}
+            lock ${lockf}
-            chmod u+w ${lockf}
+            chmod u=r ${lockf}
            echo $$ > ${lockf}
            chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -813,6 +811,7 @@ mutex_on()
 #
 mutex_off()
 {
    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -412,7 +412,7 @@ if [ $HOST = debian ]; then
    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}${ETC}/default
+	    mkdir -p ${DESTDIR}${ETC}/default
 	fi
 	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
@@ -585,7 +585,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ $configure -eq 1 -a -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ $HOST = debian -a -z "$SERVICEDIR" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -550,7 +550,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    install_file ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT} 0640
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ ${SHAREDIR} != /usr/share ]; then
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -244,7 +244,7 @@ sub create_arptables_load( $ ) {
    emit "exec 3>\${VARDIR}/.arptables-input";
-    my $date = localtime;
+    my $date = compiletime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -294,7 +294,7 @@ sub create_arptables_load( $ ) {
 #
 sub preview_arptables_load() {
-    my $date = localtime;
+    my $date = compiletime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8575,7 +8575,7 @@ sub create_netfilter_load( $ ) {
    enter_cat_mode;
-    my $date = localtime;
+    my $date = compiletime;
    unless ( $test ) {
 	emit_unindented '#';
@@ -8683,7 +8683,7 @@ sub preview_netfilter_load() {
    enter_cat_mode1;
-    my $date = localtime;
+    my $date = compiletime;
    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
@@ -8919,7 +8919,7 @@ sub create_stop_load( $ ) {
    enter_cat_mode;
    unless ( $test ) {
-	my $date = localtime;
+	my $date = compiletime;
 	emit_unindented '#';
 	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
 	emit_unindented '#';
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -90,7 +90,7 @@ sub generate_script_1( $ ) {
 	if ( $test ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    my $date = localtime;
+	    my $date = compiletime;
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
@@ -597,14 +597,18 @@ EOF
 }
 #
-# Generate date_command()
+# Generate info_command()
 #
-sub compile_date_command() {
+sub compile_info_command() {
-    my $date = localtime;
+    my $date = compiletime;
-    emit( "\ndate_command() {" ,
+    emit( "\n",
-	  "    echo $date" ,
+	  "#",
-	  "}" );
+	  "# Echo the date and time when this script was compiled along with the Shorewall version",
 	  "#",
 	  "info_command() {" ,
 	  qq(    echo "compiled $date by Shorewall version $globals{VERSION}") ,
 	  "}\n" );
 }   
 #
@@ -935,7 +939,7 @@ sub compiler {
 	#
 	# Echo the compilation time and date
 	#
-	compile_date_command;
+	compile_info_command unless $test;
 	#
 	# Copy the footer to the script
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -84,6 +84,8 @@ our @EXPORT = qw(
 		 require_capability
 		 report_used_capabilities
 		 kernel_version
                 compiletime
                );
 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -681,6 +683,8 @@ our %ipsets; # All required IPsets
 #
 our %filecache;
 our $compiletime;
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -737,7 +741,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.1",
+		    VERSION                 => "5.0.9-Beta2",
 		    CAPVERSION              => 50004 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -889,6 +893,7 @@ sub initialize( $;$$) {
 	  DOCKER => undef ,
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1171,6 +1176,12 @@ sub initialize( $;$$) {
    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
    add_variables %shorewallrc1;
    $compiletime = `date`;
    chomp $compiletime;
    $compiletime =~ s/ +/ /g;
 }
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -1183,6 +1194,10 @@ sub all_ipsets() {
    sort keys %ipsets;
 }
 sub compiletime() {
    $compiletime;
 }
 #
 # Create 'currentlineinfo'
 #
@@ -2543,18 +2558,54 @@ sub directive_error( $$$ ) {
    fatal_error $_[0];
 }
-sub directive_warning( $$$ ) {
+sub directive_warning( $$$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    if ( shift ) {
-    ( my $warning, $currentfilename, $currentlinenumber ) = @_;
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    warning_message $warning;
+	( my $warning, $currentfilename, $currentlinenumber ) = @_;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+	warning_message $warning;
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   WARNING: $_[0]\n";
 	}
 	print STDERR "   WARNING: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
-sub directive_info( $$$ ) {
+sub directive_info( $$$$ ) {
-    my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
+    if ( shift ) {
-    ( my $info, $currentfilename, $currentlinenumber ) = @_;
+	my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
-    info_message $info;
+	( my $info, $currentfilename, $currentlinenumber ) = @_;
-    ( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+	info_message $info;
 	( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
    } else {
 	our @localtime;
 	handle_first_entry if $first_entry;
 	$| = 1; #Reset output buffering (flush any partially filled buffers).
 	if ( $log ) {
 	    @localtime = localtime;
 	    printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log  "   INFO: $_[0]\n";
 	}
 	print STDERR "   INFO: $_[0]\n";
 	$| = 0; #Re-allow output buffering
    }
 }
 #
@@ -2703,7 +2754,7 @@ sub process_compiler_directive( $$$$ ) {
    print "CD===> $line\n" if $debug;
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
    my ($keyword, $expression) = ( uc $1, $2 );
@@ -2811,14 +2862,14 @@ sub process_compiler_directive( $$$$ ) {
 			      delete $actparams{$var}
 			  }
 		      } else {
-			  directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
 		      }
 		  } else {
 		      if ( exists $variables{$2} ) {
 			  delete $variables{$2};
 		      } else {
-			  directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+			  directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
 		      }
 		  }
 	      }
@@ -2832,7 +2883,7 @@ sub process_compiler_directive( $$$$ ) {
 			      ( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
 			      $comment =~ s/\s*$//;
 			  } else {
-			      directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+			      directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
 			  }
 		      }
 		  } else {
@@ -2851,7 +2902,8 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  WARNING => sub() {
-	      directive_warning( evaluate_expression( $expression ,
+	      directive_warning( $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
@@ -2860,7 +2912,28 @@ sub process_compiler_directive( $$$$ ) {
 	  } ,
 	  INFO => sub() {
-	      directive_info( evaluate_expression( $expression ,
+	      directive_info( $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
 			      $filename ,
 			      $linenumber ) unless $omitting;
 	  } ,
 	  'WARNING!' => sub() {
 	      directive_warning( ! $config{VERBOSE_MESSAGES} ,
 		                 evaluate_expression( $expression ,
 						      $filename ,
 						      $linenumber ,
 						      1 ),
 				 $filename ,
 				 $linenumber ) unless $omitting;
 	  } ,
 	  'INFO!' => sub() {
 	      directive_info( ! $config{VERBOSE_MESSAGES} ,
 			      evaluate_expression( $expression ,
 						   $filename ,
 						   $linenumber ,
 						   1 ),
@@ -3821,9 +3894,10 @@ my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 sub validate_level( $;$ ) {
    my ( $rawlevel, $option ) = @_;
-    my $level    = uc $rawlevel;
+    my $level;
-    if ( supplied ( $level ) ) {
+    if ( supplied ( $rawlevel ) ) {
 	$level = uc $rawlevel;
 	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;
@@ -5678,6 +5752,24 @@ sub get_configuration( $$$$ ) {
 	$ENV{PATH} = $default_path;
    }
    fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
    fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
    close_file;
    warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    if ( $family == F_IPV6 ) {
 	open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
 	fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
 	close_file;
 	warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
    }
    my $have_capabilities;
    if ( $export || $> != 0 ) {
@@ -6109,6 +6201,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
    default_yes_no 'MINIUPNPD'                  , '';
    default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -302,7 +302,7 @@ sub convert_blacklist() {
 	if ( @rules ) {
 	    my $fn1 = find_writable_file( 'blrules' );
 	    my $blrules;
-	    my $date = localtime;
+	    my $date = compiletime;
 	    if ( -f $fn1 ) {
 		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
@@ -393,7 +393,7 @@ sub convert_routestopped() {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 	my $seq  = 0;
-	my $date = localtime;
+	my $date = compiletime;
 	my ( $stoppedrules, $fn1 );
@@ -421,7 +421,7 @@ EOF
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "$doing $fn...";
 			print( $stoppedrules
 			       "#\n" ,
@@ -649,9 +649,15 @@ sub create_docker_rules() {
 	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
 	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
 	add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 	my $outputref;
 	add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $outputref );
 	add_ijump( $outputref, j => 'DOCKER' );
 	decr_cmd_level( $outputref );
 	add_commands( $outputref, 'fi' );
    }
    add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
@@ -861,8 +867,10 @@ sub add_common_rules ( $ ) {
 	    }
 	    if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) {
-		add_ijump_extended( $filter_table->{input_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
+		add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
+		add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
 		add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
 		add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
 	    }
 	    for ( option_chains( $interface ) ) {
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -368,7 +368,7 @@ sub setup_conntrack($) {
    if ( $convert ) {
 	my $conntrack;
 	my $empty  = 1;
-	my $date = localtime;
+	my $date = compiletime;
 	if ( $fn ) {
 	    open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -4464,6 +4464,16 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    },
 	},
 	NFLOG      => {
 	    defaultchain  => 0,
 	    allowedchains => ALLCHAINS,
 	    minparams     => 0,
 	    maxparams     => 3,
 	    function      => sub () {
 		$target = validate_level( "NFLOG($params)" );
 	    }
 	},
 	RESTORE    => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -352,7 +352,7 @@ sub process_simple_device() {
 	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@@ -2166,7 +2166,7 @@ sub convert_tos($$) {
    if ( my $fn = open_file 'tos' ) {
 	first_entry(
 		    sub {
-			my $date = localtime;
+			my $date = compiletime;
 			progress_message2 "Converting $fn...";
 			print( $mangle
 			       "#\n" ,
@@ -2332,7 +2332,7 @@ sub setup_tc( $ ) {
 		first_entry(
 			    sub {
-				my $date = localtime;
+				my $date = compiletime;
 				progress_message2 "Converting $fn...";
 				print( $mangle
 				       "#\n" ,
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1110,7 +1110,7 @@ interface_is_usable() # $1 = interface
 #
 find_interface_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
 }
 #
@@ -1119,7 +1119,7 @@ find_interface_addresses() # $1 = interface
 find_interface_full_addresses() # $1 = interface
 {
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
 }
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -25,7 +25,7 @@ usage() {
    echo "   savesets <file>"
    echo "   call <function> [ <parameter> ... ]"
    echo "   version"
-    echo "   date"
+    echo "   info"
    echo
    echo "Options are:"
    echo
@@ -470,9 +470,9 @@ case "$COMMAND" in
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
-    date)
+    info)
 	[ $# -ne 1 ] && usage 2
-	date_command
+	info_command
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -136,7 +136,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -144,7 +144,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -250,6 +250,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -147,7 +147,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,6 +253,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -242,6 +242,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -1215,7 +1215,7 @@ if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PR
    fi
    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    echo "$SYSCONFFILE file installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -493,13 +493,13 @@ compiler() {
    case "$g_doing" in
 	Compiling|Checking)
-	    progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
 	Updating)
 	    progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
 	    ;;
 	*)
-	    [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+	    [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
 	    ;;
    esac
    #
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -504,7 +504,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                    <member>0xc0a80403 LAND 0xFF = 0x03</member>
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -598,6 +598,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -595,9 +595,32 @@
                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
                back end logging daemon via a netlink socket then continues to
                the next rule. See <ulink
-                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                url="/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.
                </para>
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro body and the invocation of that
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -2508,7 +2508,7 @@ INLINE          -       -       -       ; -j REJECT
          role="bold">refresh</emphasis>, <emphasis
          role="bold">try</emphasis>, and <emphasis
          role="bold">safe-</emphasis>* command. Logging verbosity is
-          determined by the setting of LOG_VERBOSITY above. </para>
+          determined by the setting of LOG_VERBOSITY above.</para>
        </listitem>
      </varlistentry>
@@ -2864,6 +2864,20 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -130,7 +130,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -214,6 +214,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -129,7 +129,7 @@ AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -213,6 +213,8 @@ USE_PHYSICAL_NAMES=No
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=Yes
 WARNOLDCAPVERSION=Yes
 WORKAROUNDS=No
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -515,7 +515,7 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
                    <member>0xc0a80403 LAND 0xFF = 0x03</member>
-                    <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
+                    <member>0x03 LOR 0x10100 = 0x10103 or class ID
                    1:103</member>
                  </simplelist>
                </blockquote>
@@ -609,6 +609,36 @@ INLINE                eth0              -                 ; -p tcp -j MARK --set
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis>)]</term>
              <listitem>
                <para>Added in Shorewall 5.0.9. Logs matching packets using
                NFLOG. The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1. </para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">RESTORE</emphasis>[(<emphasis>mask</emphasis>)]</term>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -574,7 +574,29 @@
                the next rule. See <ulink
                url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-                <para>Similar to<emphasis role="bold">
+                <para>The <replaceable>nflog-parameters</replaceable> are a
                comma-separated list of up to 3 numbers:</para>
                <itemizedlist>
                  <listitem>
                    <para>The first number specifies the netlink group
                    (0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
                    0 is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The second number specifies the maximum number of
                    bytes to copy. If omitted, 0 (no limit) is assumed.</para>
                  </listitem>
                  <listitem>
                    <para>The third number specifies the number of log
                    messages that should be buffered in the kernel before they
                    are sent to user space. The default is 1.</para>
                  </listitem>
                </itemizedlist>
                <para>NFLOG is similar to<emphasis role="bold">
                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
                except that the log level is not changed when this ACTION is
                used in an action or macro and the invocation of that action
@@ -1636,7 +1658,7 @@
            <varlistentry>
              <term><emphasis role="bold">route</emphasis>, <emphasis
              role="bold">ipv6-route</emphasis> or <emphasis
-              role="bold">41</emphasis></term>
+              role="bold">43</emphasis></term>
              <listitem>
                <para>IPv6 Route extension header.</para>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -2506,6 +2506,20 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">VERBOSE_MESSAGES=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 5.0.9. When Yes (the default), messages
          produced by the ?INFO and ?WARNING directives include the filename
          and linenumber of the directive. When set to No, that additional
          information is omitted. The setting may be overridden on a directive
          by directive basis by following ?INFO or ?WARNING with '!' (no
          intervening white space).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">VERBOSITY=</emphasis>[<emphasis>number</emphasis>]</term>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -74,7 +74,7 @@
  <section>
    <title>Documentation for Earlier Versions</title>
-    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.4/4.6
+    <para><ulink url="4.6/Documentation_Index.html">Shorewall 4.4/4.6
    Documentation</ulink></para>
    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
--- a/docs/Dynamic.xml
+++ b/docs/Dynamic.xml
@@ -95,6 +95,11 @@ rsyncok     eth1:<emphasis role="bold">dynamic</emphasis></programlisting>
      <para>When the <emphasis role="bold">dynamic_shared</emphasis> option is
      specified, a single ipset is created; the ipset has the same name as the
      zone.</para>
      <para>In the above example, <emphasis role="bold">rsyncok</emphasis> is
      a sub-zone of the single zone <emphasis role="bold">loc</emphasis>.
      Making a dynamic zone a sub-zone of multiple other zones is also
      supported.</para>
    </section>
    <section id="Adding">
--- a/docs/Shorewall-5.xml
+++ b/docs/Shorewall-5.xml
@@ -301,8 +301,8 @@
      <para>COMMENT, FORMAT and SECTION Lines now require the leading question
      mark ("?"). In earlier releases, the question mark was optional. The
-      <command>shorewall[6] update -D</command> command will insert the
+      <command>shorewall[6] update -D</command> command in Shorewall 4.6 will
-      question marks for you.</para>
+      insert the question marks for you.</para>
    </section>
  </section>
@@ -359,7 +359,7 @@
    <para>It is strongly recommended that you first upgrade your installation
    to a 4.6 release that supports the <option>-A</option> option to the
-    <command>update</command> command; 4.6.13 is preferred.</para>
+    <command>update</command> command; 4.6.13.2 or later is preferred.</para>
    <para>Once you are on that release, execute the <command>shorewall update
    -A</command> command (and <command>shorewall6 update -A</command> if you
@@ -374,11 +374,11 @@
    likely won't start or work correctly until you do.</para>
    <para>The <command>update</command> command in Shorewall 5 has many fewer
-    options. The <option>-b</option>, <option>-t</option>, <option>-n</option>
+    options. The <option>-b</option>, <option>-t</option>,
-    and <option>-s </option>options have been removed -- the updates triggered
+    <option>-n</option>, <option>-D</option> and <option>-s </option>options
-    by those options are now performed unconditionally. The <option>-i
+    have been removed -- the updates triggered by those options are now
-    </option>and <option>-A </option>options have been retained - both enable
+    performed unconditionally. The <option>-i </option>and <option>-A
-    checking for issues that could result if INLINE_MATCHES were to be set to
+    </option>options have been retained - both enable checking for issues that
-    Yes.</para>
+    could result if INLINE_MATCHES were to be set to Yes.</para>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -48,7 +48,7 @@
  <section id="Intro">
    <title>Introduction</title>
-    <para>Shorewall supports two different types of blackliisting; rule-based,
+    <para>Shorewall supports two different types of blacklisting; rule-based,
    static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
    controls the degree of blacklist filtering.</para>
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -293,7 +293,7 @@ gateway:/etc/shorewall#                                               </programl
      <itemizedlist>
        <listitem>
-          <para>The first number specifies the netlink group (0-32). If
+          <para>The first number specifies the netlink group (0-65535). If
          omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.</para>
        </listitem>
Author	SHA1	Message	Date
Tom Eastep	e7315b8e0e	Make ipset-based dynamic blacklisting work in the FORWARD chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-13 15:03:09 -07:00
Tom Eastep	c58611f7fb	Correct a warning message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-13 15:03:03 -07:00
Tom Eastep	24b396bc67	Avoid run-time Perl diagnostic when validating a null log level Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-09 09:12:13 -07:00
Tom Eastep	6eb8416c2b	Don't link SysV init script if $SERVICEDIR is given on Debian. - Fixes issue with package build environment. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-08 15:56:56 -07:00
Matt Darfeuille	0925636995	(Fwd) [Shorewall-users] Shorewall-lite on OpenWRT On 7 Jun 2016 at 8:21, Tom Eastep wrote: > On 06/07/2016 06:40 AM, Matt Darfeuille wrote: > > On 5 Jun 2016 at 12:53, Tom Eastep wrote: > > > >> On 06/05/2016 12:33 PM, Matt Darfeuille wrote: > >>> On 5 Jun 2016 at 7:57, Tom Eastep wrote: > >>> > >>>> On 05/29/2016 02:00 AM, Matt Darfeuille wrote: > >>>> > >>>> Hi Matt, > >>>> > >>>>> > >>>>> -------------- Enclosure number 1 ---------------- > >>>>> >From 6ff651108df33ab8be4562caef03a8582e9eac5e Mon Sep 17 00:00:00 2001 > >>>>> From: Matt Darfeuille <matdarf@gmail.com> > >>>>> Date: Tue, 24 May 2016 13:10:28 +0200 > >>>>> Subject: [PATCH 1/8] Emulate 'ps -p' using grep to work on openwrt > >>>>> > >>>>> Signed-off-by: Matt Darfeuille <matdarf@gmail.com> > >>>>> --- > >>>>> Shorewall-core/lib.common \| 2 +- > >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>>>> > >>>>> diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common > >>>>> index 03ecb2a..fcb02ee 100644 > >>>>> --- a/Shorewall-core/lib.common > >>>>> +++ b/Shorewall-core/lib.common > >>>>> @@ -776,7 +776,7 @@ mutex_on() > >>>>> error_message "WARNING: Stale lockfile ${lockf} removed" > >>>>> elif [ $lockpid -eq $$ ]; then > >>>>> return 0 > >>>>> - elif ! qt ps p ${lockpid}; then > >>>>> + elif ! qt ps \| grep -v grep \| grep ${lockpid}; then > >>>> > >>>> I don't see how this can work -- 'qt ps' will produce no output yet the > >>>> code pipes into tandem greps. > >>>> > >>>> Do you really want this instead? > >>>> > >>>> elif ! ps \| grep -v grep \| qt grep ${lockpid}; then > >>>> > >>> > >>> Oops sorry Tom, that's what I meant(do you want the corrected > >>> patch?)! > >> > >> Yes, please. > >> > > > > Tom, along with correcting this faulty commit I realize, after some > > more testing, that I've also sent unnecessary commits. > > > > Should I revert these 3 commits(git revert ...): > > Set proper permissions for the LOCKFILE on openwrt > > 2ded346cb557212389212fd5adcd4c6800edbb62 > > Create lockfile before using openwrt's lock utility > > 08e8796ff1abc3b24b8bbd40bf5e0a2b36464d61 > > Emulate 'ps -p' using grep to work on openwrt > > 6ff651108df33ab8be4562caef03a8582e9eac5e > > > > or should I simply create new commits that will correct these faulty > > commits? > > > > In other words what's the best way to correct submited commits. > > > > Matt, > > Either way is fine. > Hopefully these 3 commits will do it(code-fixes.patch): Patch 1 will correct the error you have point out! On OpenWRT the lock utility doesn't allow to append the pid of the currently running script to the LOCKFILE that's why I've simply deleted that line(patch 2). I've also reordered the permissions line to be added after the line that will lock the file specified by the LOCKFILE variable(patch 3). and two other patches: While installing shorewall-init using the DESTDIR variable on debian, 'mkdir' would complain if the directory ${DESTDIR}/${etc}/default already exist; corrected using 'mkdir -p ...'(patch 4). The last patch will correct a typo in the blacklisting_support article. -Matt -------------- Enclosure number 1 ---------------- >From 1a2ff15c8dc994030e819d2882570d188b99c501 Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Wed, 8 Jun 2016 09:09:46 +0200 Subject: [PATCH 1/5] Correct pid detection mutex_on() Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-08 15:40:48 -07:00
Matt Darfeuille	cd4e9654d8	(Fwd) [Shorewall-users] Shorewall-lite on OpenWRT ------- Forwarded message follows ------- From: istvan@istvan.org To: shorewall-users@lists.sourceforge.net Date sent: Thu, 19 May 2016 09:10:21 +0200 Subject: [Shorewall-users] Shorewall-lite on OpenWRT Send reply to: Shorewall Users <shorewall-users@lists.sourceforge.net> <mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe> <mailto:shorewall-users-request@lists.sourceforge.net?subject=subscribe> Hi there, I use Shorewall on an OpenWRT distribution and I experience 2 problems. I have solved them myself and report them here to help others with it. Shorewall version: shorewall[6]-lite 5.0.4 OpenWRT version: Chaos Calmer 15.05, r46767 Problem 1: Shorewall uses the lock utility from openwrt. I believe it is used in the wrong way. File lib.common line 775 First it passes arguments which the utility doesn't use/know. The util accepts them dumbly and continues to create a lockfile. It has no time-out functionality. I do not know the meaning of the r1 argument. Second the mutex_off simply deletes the lockfile by using the utility rm. This way a stale lock process keeps running. After a while the router is running a high number of stale processes which has impact on the load of the router. The correct way is to use "lock -u /lib/shorewall-lite/lock". This way the lockfile will be removed and the process will be terminated accordingly. To make it work for me, I no more let shorewall use the lock utility by using an ugly hack. Problem 2: An fgrep on the output of the type utility is wrongly coded. The output of the type command probably has been changed. File lib.cli line 4343 It is coded: "if type $1 2> /dev/null \| fgrep -q 'is a function'; then" To make it work for me, it should be coded: "if type $1 2> /dev/null \| fgrep -q 'is a shell function'; then" With regards, Stefan ------- End of forwarded message ------- Tom, attached as code.patch, are the patches that I believe will correct those issues In addition to those patches I've also added 3 patches: - Patch 1 will emulate the -p flag of the ps utility which is not available on openwrt. - The last two patches will add "file" to the progress message of SYSCONFFILE to make it more consistent among the installers. In shorewall-init/install.sh the else clause between the line 586 and 597 will only work for a sysvinit script. Should I make it also work for a systemd service script or can't we simply remove that else clause? In the compiled firewall script the comments before and after the functions imported from lib.common have two slashes in the path: $ grep -H lib.common firewall firewall:# Functions imported from /usr/share/shorewall//lib.common firewall:# End of imports from /usr/share/shorewall//lib.common -Matt -------------- Enclosure number 1 ---------------- >From 6ff651108df33ab8be4562caef03a8582e9eac5e Mon Sep 17 00:00:00 2001 From: Matt Darfeuille <matdarf@gmail.com> Date: Tue, 24 May 2016 13:10:28 +0200 Subject: [PATCH 1/8] Emulate 'ps -p' using grep to work on openwrt Signed-off-by: Matt Darfeuille <matdarf@gmail.com> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-08 15:40:36 -07:00
Tom Eastep	cd01df4200	Allow more than 9 interfaces with Simple TC Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-07 14:43:37 -07:00
Tom Eastep	7798c52a19	Fix DOCKER=Yes when docker0 is defined and Docker isn't started. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-22 17:50:51 -07:00
Tom Eastep	2809d6896c	Clarify dynamic sub-zones Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-18 08:20:23 -07:00
Tom Eastep	1d066bdfa4	Minor updates to the Shorewall 5 article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-18 08:19:47 -07:00
Tom Eastep	9b7088158b	Correct ipv6-route header number Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-10 07:12:01 -07:00
Tom Eastep	625d763372	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code Conflicts: Shorewall/Perl/Shorewall/Config.pm	2016-05-07 13:50:01 -07:00
Tom Eastep	82169a0bfd	Use 'date' format for compiletime rather than localtime format Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-07 13:48:16 -07:00
Tom Eastep	0d16b2820a	Use 'date' format for compiletime rather than localtime format Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-06 13:28:22 -07:00
Tom Eastep	d4df67966d	Turn on AUTOMAKE in the sample configurations Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-06 08:46:11 -07:00
Tom Eastep	f16bb887f3	Report versions as Shorewall's rather than Shorewall6's Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-05 15:41:46 -07:00
Tom Eastep	64fb662bb1	Verify Shorewall6 version when compiling for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-05 15:22:47 -07:00
Tom Eastep	ce20e5592b	Cross-check core and standard versions during compilation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-05 13:53:26 -07:00
Tom Eastep	590243a787	Add NFLOG as a supported mangle action - Also document nflog-parameters - Correct range of nflog groups Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-03 11:27:34 -07:00
Tom Eastep	9dd0346987	Apply Paul Gear's patch for Ubuntu 16.04 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-05-02 07:25:37 -07:00
Tom Eastep	ccfa181a6d	Tweak compile_info_command() - Fix comment - use $globals{VERSION} for the version number Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-30 14:12:34 -07:00
Tom Eastep	d959fd4445	Fix link Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-30 08:37:20 -07:00
Tom Eastep	b7de785396	Correct typo in manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-30 08:34:43 -07:00
Tom Eastep	24d40f4cc2	Add VERBOSE_MESSAGES option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-30 08:00:56 -07:00
Tom Eastep	244f2cefe5	Update comment describing info_command() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-29 15:42:48 -07:00
Tom Eastep	ec23ca67f8	Remove the parentheses from around the start/stop time Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-29 15:32:17 -07:00
Tom Eastep	a2345325dd	Move show_status() to before its first reference Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-29 15:31:55 -07:00
Tom Eastep	1308560aba	Display compilation date/time in 'status -a' output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-29 14:12:53 -07:00
Tom Eastep	41923cb80e	Improve compile time/date implementation - Rename the command from 'date' to 'info' - Return the complete date/time/version string in the command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-29 12:31:17 -07:00