Compare commits

...

16 Commits

Author SHA1 Message Date
Tom Eastep
4e19c193a1 Document chain name length restriction fix 2011-01-31 07:15:26 -08:00
Tom Eastep
5fc72fc727 Ensure that accounting and manual chains aren't too long 2011-01-31 07:06:46 -08:00
Tom Eastep
cdf78dfecf Document module loading defect corrections 2011-01-29 12:56:03 -08:00
Tom Eastep
edf614bf4b Fix a couple of defects in module loading 2011-01-29 12:51:06 -08:00
Tom Eastep
1a3794e7b0 Fix typo in the known problems
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-01-29 09:20:17 -08:00
Tom Eastep
cfcc59c731 Document fix for IPv6 parsing error
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-01-29 09:17:05 -08:00
Tom Eastep
0de4208fef Fix silly bug in expand_rule() 2011-01-29 09:04:29 -08:00
Tom Eastep
3b6e7c3698 Update Shorewall-4 with info about shorewall-init 2011-01-22 07:30:58 -08:00
Tom Eastep
9ffab23f9a Add sch_prio to modules file 2011-01-21 16:28:03 -08:00
Tom Eastep
2f938a5647 Fix typo in release notes 2011-01-20 08:15:39 -08:00
Tom Eastep
7a522dd213 Document fix for empty shell variables 2011-01-20 07:35:08 -08:00
Tom Eastep
c10ea7befd Fix empty variable handling when /bin/sh is bash 2011-01-20 07:27:14 -08:00
Tom Eastep
295799d4d1 Correct 'shorewall-common' references in the quickstart guides 2011-01-18 09:33:20 -08:00
Tom Eastep
dd83a0e726 Prepare for 4.4.16.1 if/when needed 2011-01-14 08:50:57 -08:00
Tom Eastep
ce599945c7 Correct typo in the FAQ 2011-01-11 14:47:38 -08:00
Tom Eastep
7302b785fd Correct release documents 2011-01-08 08:12:28 -08:00
25 changed files with 166 additions and 33 deletions

View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall-init
%define version 4.4.16
%define release 0base
%define release 1
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name}
@ -119,6 +119,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-1
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall-lite
%define version 4.4.16
%define release 0base
%define release 1
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name}
@ -102,6 +102,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-1
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -1257,6 +1257,7 @@ sub ensure_accounting_chain( $$ )
if ( $chainref ) {
fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
} else {
fatal_error "Chain name ($chain) too long" if length $chain > 29;
$chainref = new_chain 'filter' , $chain;
$chainref->{accounting} = 1;
$chainref->{referenced} = 1;
@ -1344,6 +1345,7 @@ sub new_nat_chain($) {
sub new_manual_chain($) {
my $chain = $_[0];
fatal_error "Chain name ($chain) too long" if length $chain > 29;
fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
$targets{$chain} = CHAIN;
( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
@ -3509,7 +3511,7 @@ sub expand_rule( $$$$$$$$$$;$ )
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /:/ ) {
if ( $source =~ /^<(.+)>$/ || $source =~ /^<\[.+\]>$/ ) {
if ( $source =~ /^<(.+)>$/ || $source =~ /^\[(.+)\]$/ ) {
$inets = $1;
} else {
$inets = $source;

View File

@ -359,7 +359,7 @@ sub initialize( $ ) {
EXPORT => 0,
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.16",
VERSION => "4.4.16.1",
CAPVERSION => 40415 ,
);
@ -2168,12 +2168,16 @@ sub load_kernel_modules( ) {
my $uname = `uname -r`;
fatal_error "The command 'uname -r' failed" unless $? == 0;
chomp $uname;
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/ipv6/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
}
my @moduledirectories = split /:/, $modulesdir;
my @moduledirectories;
if ( $moduleloader && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
for ( split /:/, $modulesdir ) {
push @moduledirectories, $_ if -d $_;
}
if ( $moduleloader && @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
my %loadedmodules;
$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@ -2952,7 +2956,7 @@ sub get_params() {
if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^declare -x (.*?)="(.*)$/ ) {
$params{$variable=$1}="${2}\n";
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
$params{$1} = '';
} else {
@ -2976,7 +2980,7 @@ sub get_params() {
if ( /^export (.*?)="(.*[^\\])"$/ ) {
$params{$1} = $2 unless $1 eq '_';
} elsif ( /^export (.*?)="(.*)$/ ) {
$params{$variable=$1}="${2}\n";
$params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
} elsif ( /^export (.*)\s+$/ || /^export (.*)=""$/ ) {
$params{$1} = '';
} else {

View File

@ -1,3 +1,25 @@
Changes in Shorewall 4.4.16.3
1) Fix silly bug in expand_rule().
2) Correct two defects in compiler module loading.
3) Ensure that manual and accounting chains aren't too long.
Changes in Shorewall 4.4.16.2
1) Add sch_prio to modules file.
Changes in Shorewall 4.4.16.1
1) Fix empty variable handling where /bin/sh is bash
Changes in Shorewall 4.4.16 RC 1
1) Fix logging for jump to nat chain.
2) Minor code refactoring.
Changes in Shorewall 4.4.16 Beta 8
1) Complete parameterized actions.

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -1,3 +1,47 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) Beginning with 4.4.16, compilation will fail if an empty shell
variable was referenced in a config file on a system where /bin/sh
is the Bourne Again Shell (bash).
Corrected in 4.4.16.1.
3) Startup can fail on a system where module autoloading is not
available and where TC_ENABLED=Simple is specified in
shorewall.conf.
Workaround:
If LOAD_HELPERS_ONLY=No,
a) Copy /usr/share/shorewall/modules to /etc/shorewall/
b) Add 'loadmodule sch_prio' to the copy
If LOAD_HELPERS_ONLY=Yes,
a) Copy /usr/share/shorewall/helpers to /etc/shorewall/
b) Add 'loadmodule sch_prio' to the copy
4) If the SOURCE column in /etc/shorewall6/rules contains an address
enclosed in [...], a spurious error is generated:
Example:
net:[::/0]
ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
Workaround:
Enclose the address in <...>. In the example above, use
net:<::/0>.
3) Currently, Shorewall does not check the length of the names of
accounting chains and manual chains. This can result in
errors when loading the resulting ruleset if a chain name is longer
than 29 characters.

View File

@ -125,6 +125,7 @@ loadmodule sch_sfq
loadmodule sch_ingress
loadmodule sch_hfsc
loadmodule sch_htb
loadmodule sch_prio
loadmodule cls_u32
loadmodule cls_fw
loadmodule cls_flow

View File

@ -1,5 +1,5 @@
----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 6
S H O R E W A L L 4 . 4 . 1 6 . 3
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@ -12,17 +12,50 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
4.4.16.3
1) If the SOURCE column in /etc/shorewall6/rules contained [<address>],
a spurious error was generated:
ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
2) Two compiler defects in module loading have been corrected:
a) Previously, the kernel/net/ipv6/netfilter/ directory was not
searched.
b) A Perl diagnostic was issued when running on a monolithic kernel
when the modutils package was installed.
3) Previously, Shorewall did not check the length of the names of
accounting chains and manual chains. This could result in
errors when loading the resulting ruleset. Now, the compiler issues
an error for chain names longer than 29 characters.
4.4.16.2
1) Startup could previously fail on a system where module autoloading
was not available and where TC_ENABLED=Simple was specified in
shorewall.conf.
4.4.16.1
1) Beginning with 4.4.16, compilation would fail if an empty shell
variable was referenced in a config file on a system where /bin/sh
is the Bourne Again Shell (bash).
4.4.16
1) If the output of 'env' contained a multi-line value, then
compilation failed with an Internal Error. The code has been
changed so that the compiler now handles multi-line values
correctly.
2) In 4.4.15, output to Standard Out (FD 2) generated by
2) In 4.4.15, output to Standard Out (FD 1) generated by
/etc/shorewall/params (/etc/shorewall6/params) was redirected to
/dev/null. It is now redirected to Standard Error (FD 2).
3) 2) If a params file did not appear in the CONFIG_PATH, compilation
3) If a params file did not appear in the CONFIG_PATH, compilation
failed with the error:
.: 31: Can't open /etc/shorewall6/params

View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.16
%define release 0base
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@ -109,6 +109,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-1
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall6-lite
%define version 4.4.16
%define release 0base
%define release 1
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -93,6 +93,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-1
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -1,6 +1,6 @@
%define name shorewall6
%define version 4.4.16
%define release 0base
%define release 1
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
Name: %{name}
@ -98,6 +98,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog
* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-1
* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
* Thu Dec 30 2010 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.16
VERSION=4.4.16.1
usage() # $1 = exit status
{

View File

@ -2196,7 +2196,7 @@ gateway:~#
</programlisting>
</blockquote>
<para>then it means that somehing outside of Shorewall has deleted the
<para>then it means that something outside of Shorewall has deleted the
chain. This usually means that you were running another firewall package
before you installed Shorewall and that other package has replaced
Shorewall's Netfilter configuration with its own. You must remove (or at

View File

@ -103,7 +103,7 @@
that current users of the shell-based compiler migrate before upgrading to
4.4 so that both compilers are available during the migration.</para>
<para>Shorewall 4.4 contains four packages:</para>
<para>Shorewall 4.4 contains five packages:</para>
<itemizedlist>
<listitem>
@ -126,6 +126,23 @@
equivalent of Shorewall Lite. Can run scripts generated by Shoreall on
another system.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-init</emphasis> - An add-on
package for any of the other packages which can:</para>
<orderedlist>
<listitem>
<para>Secure the firewall(s) prior to bringing up the interfaces
(does not work with systems running Upstart)</para>
</listitem>
<listitem>
<para>React to ifup/ifdown events and restart the firewall(s) if
needed</para>
</listitem>
</orderedlist>
</listitem>
</itemizedlist>
</section>

View File

@ -161,7 +161,7 @@
Shorewall documentation directory is, you can find the samples using
this command:</para>
<programlisting>~# rpm -ql shorewall-common | fgrep one-interface
<programlisting>~# rpm -ql shorewall | fgrep one-interface
/usr/share/doc/packages/shorewall/Samples/one-interface
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
/usr/share/doc/packages/shorewall/Samples/one-interface/policy
@ -186,7 +186,7 @@
<listitem>
<para>If you installed using a Shorewall 4.x .deb, the samples are in
<filename
class="directory">/usr/share/doc/shorewall-common/examples/one-interface</filename>..
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..
You do not need the shorewall-doc package to have access to the
samples.</para>
</listitem>
@ -201,7 +201,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>

View File

@ -160,7 +160,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found
on your system in the directory <filename
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the
copies.</para>
@ -179,7 +179,7 @@
documentation directory is, you can find the samples using this
command:</para>
<programlisting>~# rpm -ql shorewall-common | fgrep two-interfaces
<programlisting>~# rpm -ql shorewall | fgrep two-interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq