forked from extern/shorewall_code
Compare commits
16 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
4e19c193a1 | ||
|
5fc72fc727 | ||
|
cdf78dfecf | ||
|
edf614bf4b | ||
|
1a3794e7b0 | ||
|
cfcc59c731 | ||
|
0de4208fef | ||
|
3b6e7c3698 | ||
|
9ffab23f9a | ||
|
2f938a5647 | ||
|
7a522dd213 | ||
|
c10ea7befd | ||
|
295799d4d1 | ||
|
dd83a0e726 | ||
|
ce599945c7 | ||
|
7302b785fd |
@ -23,7 +23,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-init
|
||||
%define version 4.4.16
|
||||
%define release 0base
|
||||
%define release 1
|
||||
|
||||
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
|
||||
Name: %{name}
|
||||
@ -119,6 +119,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-1
|
||||
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0base
|
||||
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.4.16
|
||||
%define release 0base
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -102,6 +102,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-1
|
||||
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0base
|
||||
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1257,6 +1257,7 @@ sub ensure_accounting_chain( $$ )
|
||||
if ( $chainref ) {
|
||||
fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
|
||||
} else {
|
||||
fatal_error "Chain name ($chain) too long" if length $chain > 29;
|
||||
$chainref = new_chain 'filter' , $chain;
|
||||
$chainref->{accounting} = 1;
|
||||
$chainref->{referenced} = 1;
|
||||
@ -1344,6 +1345,7 @@ sub new_nat_chain($) {
|
||||
|
||||
sub new_manual_chain($) {
|
||||
my $chain = $_[0];
|
||||
fatal_error "Chain name ($chain) too long" if length $chain > 29;
|
||||
fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
|
||||
$targets{$chain} = CHAIN;
|
||||
( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
|
||||
@ -3509,7 +3511,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
$iiface = $1;
|
||||
$inets = $2;
|
||||
} elsif ( $source =~ /:/ ) {
|
||||
if ( $source =~ /^<(.+)>$/ || $source =~ /^<\[.+\]>$/ ) {
|
||||
if ( $source =~ /^<(.+)>$/ || $source =~ /^\[(.+)\]$/ ) {
|
||||
$inets = $1;
|
||||
} else {
|
||||
$inets = $source;
|
||||
|
@ -359,7 +359,7 @@ sub initialize( $ ) {
|
||||
EXPORT => 0,
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.16",
|
||||
VERSION => "4.4.16.1",
|
||||
CAPVERSION => 40415 ,
|
||||
);
|
||||
|
||||
@ -2168,12 +2168,16 @@ sub load_kernel_modules( ) {
|
||||
my $uname = `uname -r`;
|
||||
fatal_error "The command 'uname -r' failed" unless $? == 0;
|
||||
chomp $uname;
|
||||
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
|
||||
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/ipv6/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
|
||||
}
|
||||
|
||||
my @moduledirectories = split /:/, $modulesdir;
|
||||
my @moduledirectories;
|
||||
|
||||
if ( $moduleloader && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
|
||||
for ( split /:/, $modulesdir ) {
|
||||
push @moduledirectories, $_ if -d $_;
|
||||
}
|
||||
|
||||
if ( $moduleloader && @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
|
||||
my %loadedmodules;
|
||||
|
||||
$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
|
||||
@ -2952,7 +2956,7 @@ sub get_params() {
|
||||
if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
|
||||
$params{$1} = $2 unless $1 eq '_';
|
||||
} elsif ( /^declare -x (.*?)="(.*)$/ ) {
|
||||
$params{$variable=$1}="${2}\n";
|
||||
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
|
||||
} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
|
||||
$params{$1} = '';
|
||||
} else {
|
||||
@ -2976,7 +2980,7 @@ sub get_params() {
|
||||
if ( /^export (.*?)="(.*[^\\])"$/ ) {
|
||||
$params{$1} = $2 unless $1 eq '_';
|
||||
} elsif ( /^export (.*?)="(.*)$/ ) {
|
||||
$params{$variable=$1}="${2}\n";
|
||||
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
|
||||
} elsif ( /^export (.*)\s+$/ || /^export (.*)=""$/ ) {
|
||||
$params{$1} = '';
|
||||
} else {
|
||||
|
@ -1,3 +1,25 @@
|
||||
Changes in Shorewall 4.4.16.3
|
||||
|
||||
1) Fix silly bug in expand_rule().
|
||||
|
||||
2) Correct two defects in compiler module loading.
|
||||
|
||||
3) Ensure that manual and accounting chains aren't too long.
|
||||
|
||||
Changes in Shorewall 4.4.16.2
|
||||
|
||||
1) Add sch_prio to modules file.
|
||||
|
||||
Changes in Shorewall 4.4.16.1
|
||||
|
||||
1) Fix empty variable handling where /bin/sh is bash
|
||||
|
||||
Changes in Shorewall 4.4.16 RC 1
|
||||
|
||||
1) Fix logging for jump to nat chain.
|
||||
|
||||
2) Minor code refactoring.
|
||||
|
||||
Changes in Shorewall 4.4.16 Beta 8
|
||||
|
||||
1) Complete parameterized actions.
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,3 +1,47 @@
|
||||
1) On systems running Upstart, shorewall-init cannot reliably secure
|
||||
the firewall before interfaces are brought up.
|
||||
|
||||
2) Beginning with 4.4.16, compilation will fail if an empty shell
|
||||
variable was referenced in a config file on a system where /bin/sh
|
||||
is the Bourne Again Shell (bash).
|
||||
|
||||
Corrected in 4.4.16.1.
|
||||
|
||||
3) Startup can fail on a system where module autoloading is not
|
||||
available and where TC_ENABLED=Simple is specified in
|
||||
shorewall.conf.
|
||||
|
||||
Workaround:
|
||||
|
||||
If LOAD_HELPERS_ONLY=No,
|
||||
|
||||
a) Copy /usr/share/shorewall/modules to /etc/shorewall/
|
||||
b) Add 'loadmodule sch_prio' to the copy
|
||||
|
||||
If LOAD_HELPERS_ONLY=Yes,
|
||||
|
||||
a) Copy /usr/share/shorewall/helpers to /etc/shorewall/
|
||||
b) Add 'loadmodule sch_prio' to the copy
|
||||
|
||||
4) If the SOURCE column in /etc/shorewall6/rules contains an address
|
||||
enclosed in [...], a spurious error is generated:
|
||||
|
||||
Example:
|
||||
|
||||
net:[::/0]
|
||||
|
||||
ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
|
||||
|
||||
Workaround:
|
||||
|
||||
Enclose the address in <...>. In the example above, use
|
||||
net:<::/0>.
|
||||
|
||||
3) Currently, Shorewall does not check the length of the names of
|
||||
accounting chains and manual chains. This can result in
|
||||
errors when loading the resulting ruleset if a chain name is longer
|
||||
than 29 characters.
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -125,6 +125,7 @@ loadmodule sch_sfq
|
||||
loadmodule sch_ingress
|
||||
loadmodule sch_hfsc
|
||||
loadmodule sch_htb
|
||||
loadmodule sch_prio
|
||||
loadmodule cls_u32
|
||||
loadmodule cls_fw
|
||||
loadmodule cls_flow
|
||||
|
@ -1,5 +1,5 @@
|
||||
----------------------------------------------------------------------------
|
||||
S H O R E W A L L 4 . 4 . 1 6
|
||||
S H O R E W A L L 4 . 4 . 1 6 . 3
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
I. PROBLEMS CORRECTED IN THIS RELEASE
|
||||
@ -12,17 +12,50 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
----------------------------------------------------------------------------
|
||||
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
4.4.16.3
|
||||
|
||||
1) If the SOURCE column in /etc/shorewall6/rules contained [<address>],
|
||||
a spurious error was generated:
|
||||
|
||||
ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
|
||||
|
||||
2) Two compiler defects in module loading have been corrected:
|
||||
|
||||
a) Previously, the kernel/net/ipv6/netfilter/ directory was not
|
||||
searched.
|
||||
|
||||
b) A Perl diagnostic was issued when running on a monolithic kernel
|
||||
when the modutils package was installed.
|
||||
|
||||
3) Previously, Shorewall did not check the length of the names of
|
||||
accounting chains and manual chains. This could result in
|
||||
errors when loading the resulting ruleset. Now, the compiler issues
|
||||
an error for chain names longer than 29 characters.
|
||||
|
||||
4.4.16.2
|
||||
|
||||
1) Startup could previously fail on a system where module autoloading
|
||||
was not available and where TC_ENABLED=Simple was specified in
|
||||
shorewall.conf.
|
||||
|
||||
4.4.16.1
|
||||
|
||||
1) Beginning with 4.4.16, compilation would fail if an empty shell
|
||||
variable was referenced in a config file on a system where /bin/sh
|
||||
is the Bourne Again Shell (bash).
|
||||
|
||||
4.4.16
|
||||
|
||||
1) If the output of 'env' contained a multi-line value, then
|
||||
compilation failed with an Internal Error. The code has been
|
||||
changed so that the compiler now handles multi-line values
|
||||
correctly.
|
||||
|
||||
2) In 4.4.15, output to Standard Out (FD 2) generated by
|
||||
2) In 4.4.15, output to Standard Out (FD 1) generated by
|
||||
/etc/shorewall/params (/etc/shorewall6/params) was redirected to
|
||||
/dev/null. It is now redirected to Standard Error (FD 2).
|
||||
|
||||
3) 2) If a params file did not appear in the CONFIG_PATH, compilation
|
||||
3) If a params file did not appear in the CONFIG_PATH, compilation
|
||||
failed with the error:
|
||||
|
||||
.: 31: Can't open /etc/shorewall6/params
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall
|
||||
%define version 4.4.16
|
||||
%define release 0base
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -109,6 +109,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
|
||||
|
||||
%changelog
|
||||
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-1
|
||||
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0base
|
||||
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6-lite
|
||||
%define version 4.4.16
|
||||
%define release 0base
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -93,6 +93,8 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-1
|
||||
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0base
|
||||
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
%define name shorewall6
|
||||
%define version 4.4.16
|
||||
%define release 0base
|
||||
%define release 1
|
||||
|
||||
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@ -98,6 +98,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
|
||||
|
||||
%changelog
|
||||
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-1
|
||||
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.16-0base
|
||||
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.16
|
||||
VERSION=4.4.16.1
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -2196,7 +2196,7 @@ gateway:~#
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>then it means that somehing outside of Shorewall has deleted the
|
||||
<para>then it means that something outside of Shorewall has deleted the
|
||||
chain. This usually means that you were running another firewall package
|
||||
before you installed Shorewall and that other package has replaced
|
||||
Shorewall's Netfilter configuration with its own. You must remove (or at
|
||||
|
@ -103,7 +103,7 @@
|
||||
that current users of the shell-based compiler migrate before upgrading to
|
||||
4.4 so that both compilers are available during the migration.</para>
|
||||
|
||||
<para>Shorewall 4.4 contains four packages:</para>
|
||||
<para>Shorewall 4.4 contains five packages:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -126,6 +126,23 @@
|
||||
equivalent of Shorewall Lite. Can run scripts generated by Shoreall on
|
||||
another system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Shorewall-init</emphasis> - An add-on
|
||||
package for any of the other packages which can:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Secure the firewall(s) prior to bringing up the interfaces
|
||||
(does not work with systems running Upstart)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>React to ifup/ifdown events and restart the firewall(s) if
|
||||
needed</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -161,7 +161,7 @@
|
||||
Shorewall documentation directory is, you can find the samples using
|
||||
this command:</para>
|
||||
|
||||
<programlisting>~# rpm -ql shorewall-common | fgrep one-interface
|
||||
<programlisting>~# rpm -ql shorewall | fgrep one-interface
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/one-interface/policy
|
||||
@ -186,7 +186,7 @@
|
||||
<listitem>
|
||||
<para>If you installed using a Shorewall 4.x .deb, the samples are in
|
||||
<filename
|
||||
class="directory">/usr/share/doc/shorewall-common/examples/one-interface</filename>..
|
||||
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..
|
||||
You do not need the shorewall-doc package to have access to the
|
||||
samples.</para>
|
||||
</listitem>
|
||||
@ -201,7 +201,7 @@
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
|
@ -160,7 +160,7 @@
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||
is intentional. The released configuration file skeletons may be found
|
||||
on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
@ -179,7 +179,7 @@
|
||||
documentation directory is, you can find the samples using this
|
||||
command:</para>
|
||||
|
||||
<programlisting>~# rpm -ql shorewall-common | fgrep two-interfaces
|
||||
<programlisting>~# rpm -ql shorewall | fgrep two-interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
|
||||
|
Loading…
Reference in New Issue
Block a user