forked from extern/shorewall_code
Compare commits
29 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
e40be793ba | ||
|
ab65b7c274 | ||
|
4585888ebb | ||
|
63ac075363 | ||
|
e41309c9d8 | ||
|
4cf7f331cd | ||
|
5725659188 | ||
|
99a81b492b | ||
|
f0e5b00f10 | ||
|
2c10d4b8f9 | ||
|
50f06ff80e | ||
|
51f79f40ec | ||
|
43c7e4f12b | ||
|
c57c42856b | ||
|
0857c12a9c | ||
|
e352cd3a65 | ||
|
d412547020 | ||
|
f2fa68bdc9 | ||
|
059553b134 | ||
|
65631e14c7 | ||
|
9f9d5e3bc9 | ||
|
1dd93bbb22 | ||
|
6ce1b9c608 | ||
|
a258de3c9d | ||
|
a796623dde | ||
|
f6f840bebf | ||
|
59905e8744 | ||
|
7d2f6379e0 | ||
|
8bdd9828fd |
@ -23,7 +23,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-init
|
%define name shorewall-init
|
||||||
%define version 4.4.13
|
%define version 4.4.13
|
||||||
%define release 0RC1
|
%define release 3
|
||||||
|
|
||||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -99,6 +99,14 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-3
|
||||||
|
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-2
|
||||||
|
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-1
|
||||||
|
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-0base
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.13-0RC1
|
- Updated to 4.4.13-0RC1
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -17,10 +17,9 @@ SRWL=/sbin/shorewall-lite
|
|||||||
SRWL_OPTS="-tvv"
|
SRWL_OPTS="-tvv"
|
||||||
test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
|
test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
|
||||||
|
|
||||||
[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
|
[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
|
||||||
|
|
||||||
export SHOREWALL_INIT_SCRIPT
|
export SHOREWALL_INIT_SCRIPT
|
||||||
|
|
||||||
test -x $SRWL || exit 0
|
test -x $SRWL || exit 0
|
||||||
test -x $WAIT_FOR_IFUP || exit 0
|
test -x $WAIT_FOR_IFUP || exit 0
|
||||||
test -n "$INITLOG" || {
|
test -n "$INITLOG" || {
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -94,9 +94,9 @@ get_config() {
|
|||||||
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
||||||
|
|
||||||
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
|
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
|
||||||
LOGREAD="logread | tac"
|
g_logread="logread | tac"
|
||||||
elif [ -r $LOGFILE ]; then
|
elif [ -r $LOGFILE ]; then
|
||||||
LOGREAD="tac $LOGFILE"
|
g_logread="tac $LOGFILE"
|
||||||
else
|
else
|
||||||
echo "LOGFILE ($LOGFILE) does not exist!" >&2
|
echo "LOGFILE ($LOGFILE) does not exist!" >&2
|
||||||
exit 2
|
exit 2
|
||||||
@ -145,6 +145,12 @@ get_config() {
|
|||||||
|
|
||||||
[ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
|
[ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
|
||||||
|
|
||||||
|
if [ $VERBOSITY -lt -1 ]; then
|
||||||
|
VERBOSITY=-1
|
||||||
|
elif [ $VERBOSITY -gt 2 ]; then
|
||||||
|
VERBOSITY=2
|
||||||
|
fi
|
||||||
|
|
||||||
g_hostname=$(hostname 2> /dev/null)
|
g_hostname=$(hostname 2> /dev/null)
|
||||||
|
|
||||||
IP=$(mywhich ip 2> /dev/null)
|
IP=$(mywhich ip 2> /dev/null)
|
||||||
@ -463,6 +469,7 @@ g_use_verbosity=
|
|||||||
g_noroutes=
|
g_noroutes=
|
||||||
g_timestamp=
|
g_timestamp=
|
||||||
g_recovering=
|
g_recovering=
|
||||||
|
g_logread=
|
||||||
|
|
||||||
finished=0
|
finished=0
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall-lite
|
%define name shorewall-lite
|
||||||
%define version 4.4.13
|
%define version 4.4.13
|
||||||
%define release 0RC1
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -102,6 +102,14 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-3
|
||||||
|
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-2
|
||||||
|
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-1
|
||||||
|
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-0base
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.13-0RC1
|
- Updated to 4.4.13-0RC1
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -68,7 +68,7 @@ our %EXPORT_TAGS = (
|
|||||||
SET
|
SET
|
||||||
NO_RESTRICT
|
NO_RESTRICT
|
||||||
PREROUTE_RESTRICT
|
PREROUTE_RESTRICT
|
||||||
DESTIFAC_DISALLOW
|
DESTIFACE_DISALLOW
|
||||||
INPUT_RESTRICT
|
INPUT_RESTRICT
|
||||||
OUTPUT_RESTRICT
|
OUTPUT_RESTRICT
|
||||||
POSTROUTE_RESTRICT
|
POSTROUTE_RESTRICT
|
||||||
@ -261,13 +261,13 @@ our %targets;
|
|||||||
#
|
#
|
||||||
# expand_rule() restrictions
|
# expand_rule() restrictions
|
||||||
#
|
#
|
||||||
use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule
|
use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule
|
||||||
PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table
|
PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table
|
||||||
INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed
|
INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed
|
||||||
OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed
|
OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed
|
||||||
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
|
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
|
||||||
ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed
|
ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed
|
||||||
DESTIFAC_DISALLOW => 32, # Don't allow dest interface
|
DESTIFACE_DISALLOW => 32, # Don't allow dest interface
|
||||||
};
|
};
|
||||||
|
|
||||||
our $iprangematch;
|
our $iprangematch;
|
||||||
@ -3408,14 +3408,14 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
#
|
#
|
||||||
# Dest interface -- must use routing table
|
# Dest interface -- must use routing table
|
||||||
#
|
#
|
||||||
fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFAC_DISALLOW;
|
fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFACE_DISALLOW;
|
||||||
fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface );
|
fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface );
|
||||||
push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
|
push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
|
||||||
$rule .= '-d $dest ';
|
$rule .= '-d $dest ';
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
|
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
|
||||||
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
|
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
|
||||||
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFAC_DISALLOW;
|
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFACE_DISALLOW;
|
||||||
|
|
||||||
if ( $iiface ) {
|
if ( $iiface ) {
|
||||||
my $bridge = port_to_bridge( $diface );
|
my $bridge = port_to_bridge( $diface );
|
||||||
@ -3746,7 +3746,7 @@ sub promote_blacklist_rules() {
|
|||||||
#
|
#
|
||||||
unless ( $chain2ref->{blacklist} ) {
|
unless ( $chain2ref->{blacklist} ) {
|
||||||
unshift @{$chain2ref->{rules}}, $rule;
|
unshift @{$chain2ref->{rules}}, $rule;
|
||||||
$chainbref->{references}{$chain2ref->{name}}++;
|
add_reference $chain2ref, $chainbref;
|
||||||
$chain2ref->{blacklist} = 1;
|
$chain2ref->{blacklist} = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -347,7 +347,7 @@ sub initialize( $ ) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
UNTRACKED => 0,
|
UNTRACKED => 0,
|
||||||
VERSION => "4.4.13-RC1",
|
VERSION => "4.4.13.3",
|
||||||
CAPVERSION => 40413 ,
|
CAPVERSION => 40413 ,
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -1093,7 +1093,7 @@ sub progress_message2 {
|
|||||||
|
|
||||||
@localtime = localtime unless $havelocaltime;
|
@localtime = localtime unless $havelocaltime;
|
||||||
|
|
||||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||||
print $log "@_\n";
|
print $log "@_\n";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1114,7 +1114,7 @@ sub progress_message3 {
|
|||||||
|
|
||||||
@localtime = localtime unless $havelocaltime;
|
@localtime = localtime unless $havelocaltime;
|
||||||
|
|
||||||
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
|
||||||
print $log "@_\n";
|
print $log "@_\n";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1475,11 +1475,12 @@ sub split_list1( $$ ) {
|
|||||||
|
|
||||||
if ( ( $count = tr/(/(/ ) > 0 ) {
|
if ( ( $count = tr/(/(/ ) > 0 ) {
|
||||||
fatal_error "Invalid $type list ($list)" if $element || $count > 1;
|
fatal_error "Invalid $type list ($list)" if $element || $count > 1;
|
||||||
|
s/\(//;
|
||||||
if ( ( $count = tr/)/)/ ) > 0 ) {
|
if ( ( $count = tr/)/)/ ) > 0 ) {
|
||||||
fatal_error "Invalid $type list ($list)" if $count > 1;
|
fatal_error "Invalid $type list ($list)" if $count > 1;
|
||||||
|
s/\)//;
|
||||||
push @list2 , $_;
|
push @list2 , $_;
|
||||||
} else {
|
} else {
|
||||||
s/\(//;
|
|
||||||
$element = $_;
|
$element = $_;
|
||||||
}
|
}
|
||||||
} elsif ( ( $count = tr/)/)/ ) > 0 ) {
|
} elsif ( ( $count = tr/)/)/ ) > 0 ) {
|
||||||
@ -1576,7 +1577,12 @@ sub open_file( $ ) {
|
|||||||
|
|
||||||
assert( ! defined $currentfile );
|
assert( ! defined $currentfile );
|
||||||
|
|
||||||
-f $fname && -s _ ? do_open_file $fname : '';
|
if ( -f $fname && -s _ ) {
|
||||||
|
$first_entry = 0;
|
||||||
|
do_open_file $fname;;
|
||||||
|
} else {
|
||||||
|
'';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -1861,20 +1861,13 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
progress_message2 'Generating Rule Matrix...';
|
progress_message2 'Generating Rule Matrix...';
|
||||||
#
|
#
|
||||||
# Special processing for complex configurations
|
# Special processing for complex and blacklisting configurations
|
||||||
#
|
#
|
||||||
for my $zone ( @zones ) {
|
for my $zone ( @zones ) {
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
|
|
||||||
next if @zones <= 2 && ! $zoneref->{options}{complex};
|
|
||||||
#
|
|
||||||
# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
|
|
||||||
#
|
|
||||||
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
|
||||||
|
|
||||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||||
my $blackref = $filter_table->{blacklst};
|
my $blackref = $filter_table->{blacklst};
|
||||||
add_jump $frwd_ref , $blackref, 0, $state, 0, -1;
|
|
||||||
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1892,6 +1885,15 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
next if @zones <= 2 && ! $zoneref->{options}{complex};
|
||||||
|
|
||||||
|
#
|
||||||
|
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
|
||||||
|
#
|
||||||
|
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||||
|
|
||||||
|
add_jump $frwd_ref , $filter_table->{blacklst}, 0, $state, 0, -1 if $zoneref->{options}{in}{blacklist};
|
||||||
|
|
||||||
if ( have_ipsec ) {
|
if ( have_ipsec ) {
|
||||||
#
|
#
|
||||||
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
|
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
|
||||||
|
@ -296,7 +296,7 @@ sub process_tc_rule( ) {
|
|||||||
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
||||||
}
|
}
|
||||||
|
|
||||||
$restriction = DESTIFAC_DISALLOW;
|
$restriction = DESTIFACE_DISALLOW;
|
||||||
|
|
||||||
ensure_mangle_chain($target);
|
ensure_mangle_chain($target);
|
||||||
|
|
||||||
|
@ -34,7 +34,7 @@ use strict;
|
|||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( setup_tunnels );
|
our @EXPORT = qw( setup_tunnels );
|
||||||
our @EXPORT_OK = ( );
|
our @EXPORT_OK = ( );
|
||||||
our $VERSION = '4.4_9';
|
our $VERSION = '4.4_13';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
||||||
|
@ -903,6 +903,8 @@ sub process_interface( $$ ) {
|
|||||||
$root = $interface;
|
$root = $interface;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
|
||||||
|
|
||||||
my $physical = $interface;
|
my $physical = $interface;
|
||||||
my $broadcasts;
|
my $broadcasts;
|
||||||
|
|
||||||
@ -1183,6 +1185,8 @@ sub known_interface($;$)
|
|||||||
|
|
||||||
return $interfaceref if $interfaceref;
|
return $interfaceref if $interfaceref;
|
||||||
|
|
||||||
|
fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
|
||||||
|
|
||||||
for my $i ( @interfaces ) {
|
for my $i ( @interfaces ) {
|
||||||
$interfaceref = $interfaces{$i};
|
$interfaceref = $interfaces{$i};
|
||||||
my $root = $interfaceref->{root};
|
my $root = $interfaceref->{root};
|
||||||
@ -1807,7 +1811,7 @@ sub find_hosts_by_option( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Retruns a reference to a list of zones with the passed in/out option
|
# Returns a reference to a list of zones with the passed in/out option
|
||||||
#
|
#
|
||||||
|
|
||||||
sub find_zones_by_option( $$ ) {
|
sub find_zones_by_option( $$ ) {
|
||||||
|
@ -1,3 +1,19 @@
|
|||||||
|
Changes in Shorewall 4.4.13.3
|
||||||
|
|
||||||
|
1) Fix log reading in the -lite packages.
|
||||||
|
|
||||||
|
Changes in Shorewall 4.4.13.2
|
||||||
|
|
||||||
|
1) Fix Debian -lite init scripts.
|
||||||
|
|
||||||
|
2) Clamp VERBOSITY to valid range.
|
||||||
|
|
||||||
|
Changes in Shorewall 4.4.13.1
|
||||||
|
|
||||||
|
1) Make log messages uniform.
|
||||||
|
|
||||||
|
2) Fix blacklisting in simple configurations.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.13
|
Changes in Shorewall 4.4.13
|
||||||
|
|
||||||
1) Allow zone lists in rules SOURCE and DEST.
|
1) Allow zone lists in rules SOURCE and DEST.
|
||||||
@ -35,6 +51,8 @@ Changes in Shorewall 4.4.13
|
|||||||
|
|
||||||
16) Correct port-range check in tcfilters.
|
16) Correct port-range check in tcfilters.
|
||||||
|
|
||||||
|
17) Disallow '*' in interface names.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.12
|
Changes in Shorewall 4.4.12
|
||||||
|
|
||||||
1) Fix IPv6 shorecap program.
|
1) Fix IPv6 shorecap program.
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -1 +1,58 @@
|
|||||||
There are no known problems in Shorewall 4.4.13-RC1
|
1) On systems running Upstart, shorewall-init cannot reliably start the
|
||||||
|
firewall before interfaces are brought up.
|
||||||
|
|
||||||
|
2) The date/time formatting in the STARTUP_LOG is not uniform.
|
||||||
|
|
||||||
|
Fixed in 4.4.13.1
|
||||||
|
|
||||||
|
3) The blacklisting change in 4.4.13 broke blacklisting in some simple
|
||||||
|
configurations with the effect that blacklisting was not enabled.
|
||||||
|
|
||||||
|
Fixed in 4.4.13.1
|
||||||
|
|
||||||
|
The issue may also be worked around is follows.
|
||||||
|
|
||||||
|
If you currently have an entry similar to this in
|
||||||
|
/etc/shorewall/interfaces:
|
||||||
|
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
net eth0 detect blacklist,...
|
||||||
|
|
||||||
|
then remove the 'blacklist' option from that entry and change the
|
||||||
|
'net' entry in /etc/shorewall/zones as follows:
|
||||||
|
|
||||||
|
#ZONE TYPE OPTIONS IN_OPTIONS
|
||||||
|
net ipv4 - blacklist
|
||||||
|
|
||||||
|
4) The Debian init scripts for Shorewall-lite and Shorewall6-lite
|
||||||
|
contain a syntax error.
|
||||||
|
|
||||||
|
Fixed in 4.4.13.2.
|
||||||
|
|
||||||
|
5) If the -v or -q option is passed to /sbin/shorewall-lite or
|
||||||
|
/sbin/shorewall6-lite on a command that involves the compiled
|
||||||
|
script, then the command will fail if the effective verbosity is
|
||||||
|
> 2 or < -1.
|
||||||
|
|
||||||
|
Fixed in 4.4.13.2.
|
||||||
|
|
||||||
|
6) When running one of the -lite packages, the log reading commands
|
||||||
|
(show log, logwatch and dump) show no log record.
|
||||||
|
|
||||||
|
Fixed in 4.4.13.3.
|
||||||
|
|
||||||
|
7) In /etc/shorewall/interfaces, if nets=(a.b.c.d/e) is entered then a
|
||||||
|
fatal error is erroneously raised.
|
||||||
|
|
||||||
|
Workaround: Remove the parentheses (e.g., nets=a.b.c.d/e).
|
||||||
|
|
||||||
|
8) If 10 or more interfaces are configured in Complex Traffic Shaping
|
||||||
|
(/etc/shorewall/tcdevices), the following compilation diagnostic
|
||||||
|
is issued:
|
||||||
|
|
||||||
|
Argument "a" isn't numeric in sprintf at
|
||||||
|
/usr/share/shorewall/Shorewall/Config.pm line 893.
|
||||||
|
|
||||||
|
and an invalid TC configuration is generated.
|
||||||
|
|
||||||
|
Fixed in 4.4.14.
|
||||||
|
@ -34,6 +34,10 @@ get_script_version() { # $1 = script
|
|||||||
local version
|
local version
|
||||||
local ifs
|
local ifs
|
||||||
local digits
|
local digits
|
||||||
|
local verbosity
|
||||||
|
|
||||||
|
verbosity="$VERBOSITY"
|
||||||
|
VERBOSITY=0
|
||||||
|
|
||||||
temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
|
temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
|
||||||
|
|
||||||
@ -54,6 +58,8 @@ get_script_version() { # $1 = script
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo $version
|
echo $version
|
||||||
|
|
||||||
|
VERBOSITY="$verbosity"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,5 @@
|
|||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
S H O R E W A L L 4 . 4 . 1 3
|
S H O R E W A L L 4 . 4 . 1 3 . 3
|
||||||
R C 1
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
I. PROBLEMS CORRECTED IN THIS RELEASE
|
I. PROBLEMS CORRECTED IN THIS RELEASE
|
||||||
@ -14,6 +13,30 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|||||||
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
4.4.13.3
|
||||||
|
|
||||||
|
1) The log-reading commands (show log, logwatch and dump) always
|
||||||
|
showed an empty log when using one of the -lite packages.
|
||||||
|
|
||||||
|
4.4.13.2
|
||||||
|
|
||||||
|
1) The Debian init scripts for Shorewall-lite and Shorewall6-lite
|
||||||
|
contained a syntax error.
|
||||||
|
|
||||||
|
2) If the -v or -q option was passed to /sbin/shorewall-lite or
|
||||||
|
/sbin/shorewall6-lite on a command that involved the compiled
|
||||||
|
script, then the command would fail if the effective verbosity was
|
||||||
|
> 2 or < -1.
|
||||||
|
|
||||||
|
4.4.13.1
|
||||||
|
|
||||||
|
1) Previously, messages to the STARTUP_LOG had inconsistent date formats.
|
||||||
|
|
||||||
|
2) The blacklisting change in 4.4.13 was broken in some simple
|
||||||
|
configurations with the effect that blacklisting was not enabled.
|
||||||
|
|
||||||
|
4.4.13
|
||||||
|
|
||||||
1) Under rare circumstances where COMMENT is used to attach comments
|
1) Under rare circumstances where COMMENT is used to attach comments
|
||||||
to rules, OPTIMIZE 8 through 15 could result in invalid
|
to rules, OPTIMIZE 8 through 15 could result in invalid
|
||||||
iptables-restore (ip6tables-restore) input.
|
iptables-restore (ip6tables-restore) input.
|
||||||
@ -116,6 +139,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|||||||
13) An error message was incorrectly generated if a port range of the
|
13) An error message was incorrectly generated if a port range of the
|
||||||
form :<port> (e.g., :22) appeared.
|
form :<port> (e.g., :22) appeared.
|
||||||
|
|
||||||
|
14) An error is now generated if '*' appears in an interface name.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
I I. K N O W N P R O B L E M S R E M A I N I N G
|
I I. K N O W N P R O B L E M S R E M A I N I N G
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 4.4.13
|
%define version 4.4.13
|
||||||
%define release 0RC1
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -108,6 +108,14 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-3
|
||||||
|
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-2
|
||||||
|
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-1
|
||||||
|
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-0base
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.13-0RC1
|
- Updated to 4.4.13-0RC1
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
|
|||||||
SRWL_OPTS="-tvv"
|
SRWL_OPTS="-tvv"
|
||||||
test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
|
test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
|
||||||
|
|
||||||
[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
|
[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
|
||||||
|
|
||||||
export SHOREWALL_INIT_SCRIPT
|
export SHOREWALL_INIT_SCRIPT
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -94,9 +94,9 @@ get_config() {
|
|||||||
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
|
||||||
|
|
||||||
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
|
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
|
||||||
LOGREAD="logread | tac"
|
g_logread="logread | tac"
|
||||||
elif [ -r $LOGFILE ]; then
|
elif [ -r $LOGFILE ]; then
|
||||||
LOGREAD="tac $LOGFILE"
|
g_logread="tac $LOGFILE"
|
||||||
else
|
else
|
||||||
echo "LOGFILE ($LOGFILE) does not exist!" >&2
|
echo "LOGFILE ($LOGFILE) does not exist!" >&2
|
||||||
exit 2
|
exit 2
|
||||||
@ -145,6 +145,12 @@ get_config() {
|
|||||||
|
|
||||||
[ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
|
[ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
|
||||||
|
|
||||||
|
if [ $VERBOSITY -lt -1 ]; then
|
||||||
|
VERBOSITY=-1
|
||||||
|
elif [ $VERBOSITY -gt 2 ]; then
|
||||||
|
VERBOSITY=2
|
||||||
|
fi
|
||||||
|
|
||||||
g_hostname=$(hostname 2> /dev/null)
|
g_hostname=$(hostname 2> /dev/null)
|
||||||
|
|
||||||
IP=$(mywhich ip 2> /dev/null)
|
IP=$(mywhich ip 2> /dev/null)
|
||||||
@ -447,6 +453,7 @@ g_noroutes=
|
|||||||
g_timestamp=
|
g_timestamp=
|
||||||
g_recovering=
|
g_recovering=
|
||||||
g_purge=
|
g_purge=
|
||||||
|
g_logread=
|
||||||
|
|
||||||
finished=0
|
finished=0
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall6-lite
|
%define name shorewall6-lite
|
||||||
%define version 4.4.13
|
%define version 4.4.13
|
||||||
%define release 0RC1
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -93,6 +93,14 @@ fi
|
|||||||
%doc COPYING changelog.txt releasenotes.txt
|
%doc COPYING changelog.txt releasenotes.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-3
|
||||||
|
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-2
|
||||||
|
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-1
|
||||||
|
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-0base
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.13-0RC1
|
- Updated to 4.4.13-0RC1
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -32,6 +32,10 @@ get_script_version() { # $1 = script
|
|||||||
local version
|
local version
|
||||||
local ifs
|
local ifs
|
||||||
local digits
|
local digits
|
||||||
|
local verbosity
|
||||||
|
|
||||||
|
verbosity="$VERBOSITY"
|
||||||
|
VERBOSITY=0
|
||||||
|
|
||||||
temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
|
temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
|
||||||
|
|
||||||
@ -52,6 +56,8 @@ get_script_version() { # $1 = script
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo $version
|
echo $version
|
||||||
|
|
||||||
|
VERBOSITY="$verbosity"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall6
|
%define name shorewall6
|
||||||
%define version 4.4.13
|
%define version 4.4.13
|
||||||
%define release 0RC1
|
%define release 3
|
||||||
|
|
||||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||||
Name: %{name}
|
Name: %{name}
|
||||||
@ -98,6 +98,14 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-3
|
||||||
|
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-2
|
||||||
|
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-1
|
||||||
|
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
|
||||||
|
- Updated to 4.4.13-0base
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 4.4.13-0RC1
|
- Updated to 4.4.13-0RC1
|
||||||
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Shorewall Firewall
|
# shown below. Simply run this script to remove Shorewall Firewall
|
||||||
|
|
||||||
VERSION=4.4.13-RC1
|
VERSION=4.4.13.3
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user