Compare commits

...

29 Commits

Author SHA1 Message Date
Tom Eastep
e40be793ba Insure that VERBOSITY=0 when interrogating compiled script version
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-28 11:24:52 -07:00
Tom Eastep
ab65b7c274 Update 4.4.13 Known Problems
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-28 11:02:20 -07:00
Tom Eastep
4585888ebb Update known problems with split_list() issue 2010-10-26 07:10:01 -07:00
Tom Eastep
63ac075363 Fix split_list() 2010-10-26 07:04:07 -07:00
Tom Eastep
e41309c9d8 Correct problems corrected.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-02 13:20:51 -07:00
Tom Eastep
4cf7f331cd Shorewall 4.4.13.3
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-02 13:06:13 -07:00
Tom Eastep
5725659188 Fix log reading in the -lite packages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-02 13:03:21 -07:00
Tom Eastep
99a81b492b Correct version 2010-10-01 15:28:17 -07:00
Tom Eastep
f0e5b00f10 Shorewall 4.4.13.2
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-01 15:25:39 -07:00
Tom Eastep
2c10d4b8f9 Clamp VERBOSITY to valid range
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-01 15:20:34 -07:00
Tom Eastep
50f06ff80e Correct Debian Lite init scripts
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-10-01 15:20:25 -07:00
Tom Eastep
51f79f40ec Revise fix for extraneous progress messages 2010-09-27 16:16:29 -07:00
Tom Eastep
43c7e4f12b Prevent random progress messages during compilation.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-27 15:56:49 -07:00
Tom Eastep
c57c42856b Add workaround to known problems 2010-09-26 12:36:39 -07:00
Tom Eastep
0857c12a9c Fix syntax error in blacklist fix 2010-09-24 12:04:06 -07:00
Tom Eastep
e352cd3a65 Update Known Problems
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-24 11:49:46 -07:00
Tom Eastep
d412547020 Document blacklisting fix
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-24 11:20:22 -07:00
Tom Eastep
f2fa68bdc9 Correct blacklisting in simple configurations
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-24 11:17:21 -07:00
Tom Eastep
059553b134 Make timestamps in log uniform 2010-09-23 07:15:24 -07:00
Tom Eastep
65631e14c7 Revert Date Fix 2010-09-23 06:48:29 -07:00
Tom Eastep
9f9d5e3bc9 Document date formatting fix 2010-09-22 17:45:26 -07:00
Tom Eastep
1dd93bbb22 Fix date formatting 2010-09-22 17:41:02 -07:00
Tom Eastep
6ce1b9c608 Prepare for 4.4.13.1 in case it is needed 2010-09-22 16:41:19 -07:00
Tom Eastep
a258de3c9d Update known problems
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-21 07:50:13 -07:00
Tom Eastep
a796623dde Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-20 09:40:31 -07:00
Tom Eastep
f6f840bebf Misc cleanup for 4.4.13
1. Replace statement with equivalent function call in promote_blacklist_rules()
2. Bump version of Tunnels.pm
3. Fix typo in comment in Zones.pm

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-20 08:15:24 -07:00
Tom Eastep
59905e8744 Set version to 4.4.13 2010-09-20 07:25:33 -07:00
Tom Eastep
7d2f6379e0 Document fix for '*' in interface names.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-19 15:19:48 -07:00
Tom Eastep
8bdd9828fd Don't allow '*' in interface names 2010-09-19 15:13:54 -07:00
30 changed files with 229 additions and 52 deletions

View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-init %define name shorewall-init
%define version 4.4.13 %define version 4.4.13
%define release 0RC1 %define release 3
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name} Name: %{name}
@ -99,6 +99,14 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-3
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1 - Updated to 4.4.13-0RC1
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -17,10 +17,9 @@ SRWL=/sbin/shorewall-lite
SRWL_OPTS="-tvv" SRWL_OPTS="-tvv"
test -n ${INITLOG:=/var/log/shorewall-lite-init.log} test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0 [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
export SHOREWALL_INIT_SCRIPT export SHOREWALL_INIT_SCRIPT
test -x $SRWL || exit 0 test -x $SRWL || exit 0
test -x $WAIT_FOR_IFUP || exit 0 test -x $WAIT_FOR_IFUP || exit 0
test -n "$INITLOG" || { test -n "$INITLOG" || {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -94,9 +94,9 @@ get_config() {
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
LOGREAD="logread | tac" g_logread="logread | tac"
elif [ -r $LOGFILE ]; then elif [ -r $LOGFILE ]; then
LOGREAD="tac $LOGFILE" g_logread="tac $LOGFILE"
else else
echo "LOGFILE ($LOGFILE) does not exist!" >&2 echo "LOGFILE ($LOGFILE) does not exist!" >&2
exit 2 exit 2
@ -145,6 +145,12 @@ get_config() {
[ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY)) [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
if [ $VERBOSITY -lt -1 ]; then
VERBOSITY=-1
elif [ $VERBOSITY -gt 2 ]; then
VERBOSITY=2
fi
g_hostname=$(hostname 2> /dev/null) g_hostname=$(hostname 2> /dev/null)
IP=$(mywhich ip 2> /dev/null) IP=$(mywhich ip 2> /dev/null)
@ -463,6 +469,7 @@ g_use_verbosity=
g_noroutes= g_noroutes=
g_timestamp= g_timestamp=
g_recovering= g_recovering=
g_logread=
finished=0 finished=0

View File

@ -1,6 +1,6 @@
%define name shorewall-lite %define name shorewall-lite
%define version 4.4.13 %define version 4.4.13
%define release 0RC1 %define release 3
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -102,6 +102,14 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-3
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1 - Updated to 4.4.13-0RC1
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -68,7 +68,7 @@ our %EXPORT_TAGS = (
SET SET
NO_RESTRICT NO_RESTRICT
PREROUTE_RESTRICT PREROUTE_RESTRICT
DESTIFAC_DISALLOW DESTIFACE_DISALLOW
INPUT_RESTRICT INPUT_RESTRICT
OUTPUT_RESTRICT OUTPUT_RESTRICT
POSTROUTE_RESTRICT POSTROUTE_RESTRICT
@ -261,13 +261,13 @@ our %targets;
# #
# expand_rule() restrictions # expand_rule() restrictions
# #
use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule
PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table
INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed
OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed
DESTIFAC_DISALLOW => 32, # Don't allow dest interface DESTIFACE_DISALLOW => 32, # Don't allow dest interface
}; };
our $iprangematch; our $iprangematch;
@ -3408,14 +3408,14 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Dest interface -- must use routing table # Dest interface -- must use routing table
# #
fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFAC_DISALLOW; fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFACE_DISALLOW;
fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface ); fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface );
push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' ); push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
$rule .= '-d $dest '; $rule .= '-d $dest ';
} else { } else {
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFAC_DISALLOW; fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFACE_DISALLOW;
if ( $iiface ) { if ( $iiface ) {
my $bridge = port_to_bridge( $diface ); my $bridge = port_to_bridge( $diface );
@ -3746,7 +3746,7 @@ sub promote_blacklist_rules() {
# #
unless ( $chain2ref->{blacklist} ) { unless ( $chain2ref->{blacklist} ) {
unshift @{$chain2ref->{rules}}, $rule; unshift @{$chain2ref->{rules}}, $rule;
$chainbref->{references}{$chain2ref->{name}}++; add_reference $chain2ref, $chainbref;
$chain2ref->{blacklist} = 1; $chain2ref->{blacklist} = 1;
} }
} }

View File

@ -347,7 +347,7 @@ sub initialize( $ ) {
EXPORT => 0, EXPORT => 0,
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.13-RC1", VERSION => "4.4.13.3",
CAPVERSION => 40413 , CAPVERSION => 40413 ,
); );
@ -1093,7 +1093,7 @@ sub progress_message2 {
@localtime = localtime unless $havelocaltime; @localtime = localtime unless $havelocaltime;
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n"; print $log "@_\n";
} }
} }
@ -1114,7 +1114,7 @@ sub progress_message3 {
@localtime = localtime unless $havelocaltime; @localtime = localtime unless $havelocaltime;
printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0]; printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
print $log "@_\n"; print $log "@_\n";
} }
} }
@ -1475,11 +1475,12 @@ sub split_list1( $$ ) {
if ( ( $count = tr/(/(/ ) > 0 ) { if ( ( $count = tr/(/(/ ) > 0 ) {
fatal_error "Invalid $type list ($list)" if $element || $count > 1; fatal_error "Invalid $type list ($list)" if $element || $count > 1;
s/\(//;
if ( ( $count = tr/)/)/ ) > 0 ) { if ( ( $count = tr/)/)/ ) > 0 ) {
fatal_error "Invalid $type list ($list)" if $count > 1; fatal_error "Invalid $type list ($list)" if $count > 1;
s/\)//;
push @list2 , $_; push @list2 , $_;
} else { } else {
s/\(//;
$element = $_; $element = $_;
} }
} elsif ( ( $count = tr/)/)/ ) > 0 ) { } elsif ( ( $count = tr/)/)/ ) > 0 ) {
@ -1576,7 +1577,12 @@ sub open_file( $ ) {
assert( ! defined $currentfile ); assert( ! defined $currentfile );
-f $fname && -s _ ? do_open_file $fname : ''; if ( -f $fname && -s _ ) {
$first_entry = 0;
do_open_file $fname;;
} else {
'';
}
} }
# #

View File

@ -1861,20 +1861,13 @@ sub generate_matrix() {
progress_message2 'Generating Rule Matrix...'; progress_message2 'Generating Rule Matrix...';
# #
# Special processing for complex configurations # Special processing for complex and blacklisting configurations
# #
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{options}{complex};
#
# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
#
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
if ( $zoneref->{options}{in}{blacklist} ) { if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst}; my $blackref = $filter_table->{blacklst};
add_jump $frwd_ref , $blackref, 0, $state, 0, -1;
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers; add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
} }
@ -1892,6 +1885,15 @@ sub generate_matrix() {
} }
} }
next if @zones <= 2 && ! $zoneref->{options}{complex};
#
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
#
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
add_jump $frwd_ref , $filter_table->{blacklst}, 0, $state, 0, -1 if $zoneref->{options}{in}{blacklist};
if ( have_ipsec ) { if ( have_ipsec ) {
# #
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the

View File

@ -296,7 +296,7 @@ sub process_tc_rule( ) {
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre'; fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
} }
$restriction = DESTIFAC_DISALLOW; $restriction = DESTIFACE_DISALLOW;
ensure_mangle_chain($target); ensure_mangle_chain($target);

View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tunnels ); our @EXPORT = qw( setup_tunnels );
our @EXPORT_OK = ( ); our @EXPORT_OK = ( );
our $VERSION = '4.4_9'; our $VERSION = '4.4_13';
# #
# Here starts the tunnel stuff -- we really should get rid of this crap... # Here starts the tunnel stuff -- we really should get rid of this crap...

View File

@ -903,6 +903,8 @@ sub process_interface( $$ ) {
$root = $interface; $root = $interface;
} }
fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
my $physical = $interface; my $physical = $interface;
my $broadcasts; my $broadcasts;
@ -1183,6 +1185,8 @@ sub known_interface($;$)
return $interfaceref if $interfaceref; return $interfaceref if $interfaceref;
fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
for my $i ( @interfaces ) { for my $i ( @interfaces ) {
$interfaceref = $interfaces{$i}; $interfaceref = $interfaces{$i};
my $root = $interfaceref->{root}; my $root = $interfaceref->{root};
@ -1807,7 +1811,7 @@ sub find_hosts_by_option( $ ) {
} }
# #
# Retruns a reference to a list of zones with the passed in/out option # Returns a reference to a list of zones with the passed in/out option
# #
sub find_zones_by_option( $$ ) { sub find_zones_by_option( $$ ) {

View File

@ -1,3 +1,19 @@
Changes in Shorewall 4.4.13.3
1) Fix log reading in the -lite packages.
Changes in Shorewall 4.4.13.2
1) Fix Debian -lite init scripts.
2) Clamp VERBOSITY to valid range.
Changes in Shorewall 4.4.13.1
1) Make log messages uniform.
2) Fix blacklisting in simple configurations.
Changes in Shorewall 4.4.13 Changes in Shorewall 4.4.13
1) Allow zone lists in rules SOURCE and DEST. 1) Allow zone lists in rules SOURCE and DEST.
@ -35,6 +51,8 @@ Changes in Shorewall 4.4.13
16) Correct port-range check in tcfilters. 16) Correct port-range check in tcfilters.
17) Disallow '*' in interface names.
Changes in Shorewall 4.4.12 Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program. 1) Fix IPv6 shorecap program.

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1 +1,58 @@
There are no known problems in Shorewall 4.4.13-RC1 1) On systems running Upstart, shorewall-init cannot reliably start the
firewall before interfaces are brought up.
2) The date/time formatting in the STARTUP_LOG is not uniform.
Fixed in 4.4.13.1
3) The blacklisting change in 4.4.13 broke blacklisting in some simple
configurations with the effect that blacklisting was not enabled.
Fixed in 4.4.13.1
The issue may also be worked around is follows.
If you currently have an entry similar to this in
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect blacklist,...
then remove the 'blacklist' option from that entry and change the
'net' entry in /etc/shorewall/zones as follows:
#ZONE TYPE OPTIONS IN_OPTIONS
net ipv4 - blacklist
4) The Debian init scripts for Shorewall-lite and Shorewall6-lite
contain a syntax error.
Fixed in 4.4.13.2.
5) If the -v or -q option is passed to /sbin/shorewall-lite or
/sbin/shorewall6-lite on a command that involves the compiled
script, then the command will fail if the effective verbosity is
> 2 or < -1.
Fixed in 4.4.13.2.
6) When running one of the -lite packages, the log reading commands
(show log, logwatch and dump) show no log record.
Fixed in 4.4.13.3.
7) In /etc/shorewall/interfaces, if nets=(a.b.c.d/e) is entered then a
fatal error is erroneously raised.
Workaround: Remove the parentheses (e.g., nets=a.b.c.d/e).
8) If 10 or more interfaces are configured in Complex Traffic Shaping
(/etc/shorewall/tcdevices), the following compilation diagnostic
is issued:
Argument "a" isn't numeric in sprintf at
/usr/share/shorewall/Shorewall/Config.pm line 893.
and an invalid TC configuration is generated.
Fixed in 4.4.14.

View File

@ -34,6 +34,10 @@ get_script_version() { # $1 = script
local version local version
local ifs local ifs
local digits local digits
local verbosity
verbosity="$VERBOSITY"
VERBOSITY=0
temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' ) temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
@ -54,6 +58,8 @@ get_script_version() { # $1 = script
fi fi
echo $version echo $version
VERBOSITY="$verbosity"
} }
# #

View File

@ -1,6 +1,5 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 3 S H O R E W A L L 4 . 4 . 1 3 . 3
R C 1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE I. PROBLEMS CORRECTED IN THIS RELEASE
@ -14,6 +13,30 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
4.4.13.3
1) The log-reading commands (show log, logwatch and dump) always
showed an empty log when using one of the -lite packages.
4.4.13.2
1) The Debian init scripts for Shorewall-lite and Shorewall6-lite
contained a syntax error.
2) If the -v or -q option was passed to /sbin/shorewall-lite or
/sbin/shorewall6-lite on a command that involved the compiled
script, then the command would fail if the effective verbosity was
> 2 or < -1.
4.4.13.1
1) Previously, messages to the STARTUP_LOG had inconsistent date formats.
2) The blacklisting change in 4.4.13 was broken in some simple
configurations with the effect that blacklisting was not enabled.
4.4.13
1) Under rare circumstances where COMMENT is used to attach comments 1) Under rare circumstances where COMMENT is used to attach comments
to rules, OPTIMIZE 8 through 15 could result in invalid to rules, OPTIMIZE 8 through 15 could result in invalid
iptables-restore (ip6tables-restore) input. iptables-restore (ip6tables-restore) input.
@ -116,6 +139,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
13) An error message was incorrectly generated if a port range of the 13) An error message was incorrectly generated if a port range of the
form :<port> (e.g., :22) appeared. form :<port> (e.g., :22) appeared.
14) An error is now generated if '*' appears in an interface name.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G I I. K N O W N P R O B L E M S R E M A I N I N G
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 4.4.13 %define version 4.4.13
%define release 0RC1 %define release 3
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -108,6 +108,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog %changelog
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-3
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1 - Updated to 4.4.13-0RC1
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
SRWL_OPTS="-tvv" SRWL_OPTS="-tvv"
test -n ${INITLOG:=/var/log/shorewall6-lite-init.log} test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0 [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
export SHOREWALL_INIT_SCRIPT export SHOREWALL_INIT_SCRIPT

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -94,9 +94,9 @@ get_config() {
[ -z "$LOGFILE" ] && LOGFILE=/var/log/messages [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then if ( ps ax 2> /dev/null | grep -v grep | qt grep 'syslogd.*-C' ) ; then
LOGREAD="logread | tac" g_logread="logread | tac"
elif [ -r $LOGFILE ]; then elif [ -r $LOGFILE ]; then
LOGREAD="tac $LOGFILE" g_logread="tac $LOGFILE"
else else
echo "LOGFILE ($LOGFILE) does not exist!" >&2 echo "LOGFILE ($LOGFILE) does not exist!" >&2
exit 2 exit 2
@ -145,6 +145,12 @@ get_config() {
[ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY)) [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
if [ $VERBOSITY -lt -1 ]; then
VERBOSITY=-1
elif [ $VERBOSITY -gt 2 ]; then
VERBOSITY=2
fi
g_hostname=$(hostname 2> /dev/null) g_hostname=$(hostname 2> /dev/null)
IP=$(mywhich ip 2> /dev/null) IP=$(mywhich ip 2> /dev/null)
@ -447,6 +453,7 @@ g_noroutes=
g_timestamp= g_timestamp=
g_recovering= g_recovering=
g_purge= g_purge=
g_logread=
finished=0 finished=0

View File

@ -1,6 +1,6 @@
%define name shorewall6-lite %define name shorewall6-lite
%define version 4.4.13 %define version 4.4.13
%define release 0RC1 %define release 3
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -93,6 +93,14 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-3
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1 - Updated to 4.4.13-0RC1
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -32,6 +32,10 @@ get_script_version() { # $1 = script
local version local version
local ifs local ifs
local digits local digits
local verbosity
verbosity="$VERBOSITY"
VERBOSITY=0
temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' ) temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
@ -52,6 +56,8 @@ get_script_version() { # $1 = script
fi fi
echo $version echo $version
VERBOSITY="$verbosity"
} }
# #

View File

@ -1,6 +1,6 @@
%define name shorewall6 %define name shorewall6
%define version 4.4.13 %define version 4.4.13
%define release 0RC1 %define release 3
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -98,6 +98,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog %changelog
* Sat Oct 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-3
* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1 - Updated to 4.4.13-0RC1
* Fri Sep 17 2010 Tom Eastep tom@shorewall.net * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.13-RC1 VERSION=4.4.13.3
usage() # $1 = exit status usage() # $1 = exit status
{ {