Fix obscure bug with multiple addresses in masq

Formatting in zones manpage
2009-09-29 08:37:37 -05:00 · 2009-09-11 10:48:00 -07:00 · 2009-09-11 10:46:33 -07:00 · 2009-09-11 07:52:07 -07:00 · 2009-09-03 19:40:34 -07:00 · 2009-09-03 19:37:40 -07:00
24 changed files with 134 additions and 41 deletions
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.1
-%define release 0base
+%define release 2

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -98,6 +98,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -71,6 +71,7 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE

+				       initialize_chain_table
 				       add_commands
 				       move_rules
 				       move_rules1
@ -296,7 +297,6 @@ our %builtin_target = ( ACCEPT   => 1,
 			NFQUEUE  => 1,
 			REDIRECT => 1 );

-sub initialize_chain_table();
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@ -357,8 +357,6 @@ sub initialize( $ ) {
    $global_variables   = 0;
    $idiotcount         = 0;

-    initialize_chain_table;
-
 }

 #
@ -1041,7 +1039,7 @@ sub ensure_manual_chain($) {
 }

 #
-# Add all builtin chains to the chain table -- it is separate from initialize() for purely historical reasons.
+# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
 #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -589,6 +589,8 @@ sub compiler {
    #
    get_configuration( $export );

+    initialize_chain_table;
+
    report_capabilities;

    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
@ -790,6 +792,9 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
+    } else {
+	enable_object;
+    }
    #                               S T O P _ F I R E W A L L
    #             (Writes the stop_firewall() function to the compiled script)
    #
@ -797,7 +802,10 @@ sub compiler {
    # for stopping the firewall
    #
    Shorewall::Chains::initialize( $family );
+    initialize_chain_table;
    compile_stop_firewall( $test );
+    
+    if ( $objectfile ) {
 	#
 	# Copy the footer to the object
 	#
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -327,7 +327,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.1",
+		    VERSION => "4.4.1.2",
 		    CAPVERSION => 40401 ,
 		  );

@ -1951,7 +1951,7 @@ sub determine_capabilities( $ ) {

    if ( $capabilities{NAT_ENABLED} ) {
 	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
-	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to source 1.2.3.4 --persistent" );
+	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
 	    qt1( "$iptables -t NAT -F $sillyname" );
 	    qt1( "$iptables -t NAT -X $sillyname" );
 	}
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -104,7 +104,7 @@ sub do_ipsec_options($)
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $origaddresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@ -208,7 +208,9 @@ sub process_one_masq( )
 	#
 	# Parse the ADDRESSES column
 	#
-	if ( $addresses ne '-' ) {
+	if ( $origaddresses ne '-' ) {
+	    my $addresses = $origaddresses;
+
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
@ -226,7 +228,7 @@ sub process_one_masq( )
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
 				      '',
-				      "if [ \"$variable\" != 0.0.0.0 ]; then" );
+				      qq(if [ "$variable" != 0.0.0.0 ]; then) );
 			incr_cmd_level( $chainref );
 			$detectaddress = 1;
 		    }
@ -239,7 +241,11 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
+			    if ( $addr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
+			    } else {
 				validate_address $ipaddr, 0;
+			    }
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@ -280,7 +286,7 @@ sub process_one_masq( )
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-	    for my $address ( split_list $addresses, 'address' ) {
+	    for my $address ( split_list $origaddresses, 'address' ) {
 		my ( $addrs, $port ) = split /:/, $address;
 		next unless $addrs;
 		next if $addrs eq 'detect';
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,19 @@
+Changes in Shorewall 4.4.1.3
+
+1)  Process routestopped during 'check'
+
+2)  Apply Jesse Shrieve's patch for SNAT range.
+
+Changes in Shorewall 4.4.1.2
+
+1)  Re-initialize chain table before generating 'stop_firewall()'
+
+Changes in Shorewall 4.4.1.1
+
+1)  Fixed detection of Persistent SNAT
+
+2)  Fix compiler initialization fiasco.
+
 Changes in Shorewall 4.4.1

 1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@ -1 +1,22 @@
-There are no known problems in Shorewall version 4.4.1
+1)  The compiler's detection of Persistent SNAT support is broken.
+
+    Fixed in Shorewall 4.4.1.1
+
+2)  Initialization of the compiler's chain table was broken in ways
+    that prevented some features from working.
+
+    Fixed in Shorewall 4.4.1.1
+
+3)  Initialization of the compiler's chain table was still broken.
+
+    Fixed in Shorewall 4.4.1.2.
+
+4)  It is currently not possible to specify an address range in the
+    ADDRESS column of /etc/shorewall/masq.
+
+    Fixed in Shorewall 4.4.1.3.
+
+5)  The routestopped file is not being verified by 'shorewall check'.
+
+    Fixed in Shorewall 4.4.1.3.
+
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 4.4.1
+Shorewall 4.4.1 patch release 3

 ----------------------------------------------------------------------------
               R E L E A S E  4 . 4  H I G H L I G H T S
@ -170,6 +170,30 @@ Shorewall 4.4.1
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.

+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 3
+----------------------------------------------------------------------------
+1)  The routestopped file wasn't verified during 'shorewall check' and
+    'shorewall6 check'.
+
+2)  Previously, it was not possible to specify an IP address range in
+    ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee Shrieve
+    for the patch.
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 2
+----------------------------------------------------------------------------
+1)  The compiler's chain table was not being re-initialized prior to
+    creating the stop_firewall() function, resulting in Perl run-time
+    errors.
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 1
+----------------------------------------------------------------------------
+1)  Detection of Persistent SNAT support was broken in the compiler.
+
+2)  Initialization of the compiler's chain table was broken in ways
+    that made some features not work and that caused Perl runtime errors.
+
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
 ----------------------------------------------------------------------------
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.1
-%define release 0base
+%define release 2

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@ -104,6 +104,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 

 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.1
-%define release 0base
+%define release 2

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -89,6 +89,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.1
-%define release 0base
+%define release 2

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@ -93,6 +93,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1
+VERSION=4.4.1.2

 usage() # $1 = exit status
 {
--- a/manpages/shorewall-zones.xml
+++ b/manpages/shorewall-zones.xml
@ -138,7 +138,8 @@ c:a,b     ipv4</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
+              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              role="bold">ipsec4</emphasis>)</term>

              <listitem>
                <para>Communication with all zone hosts is encrypted. Your
@ -160,7 +161,8 @@ c:a,b     ipv4</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>bport (or bport4)</term>
+              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              role="bold">bport4</emphasis>)</term>

              <listitem>
                <para>The zone is associated with one or more ports on a
--- a/manpages6/shorewall6-zones.xml
+++ b/manpages6/shorewall6-zones.xml
@ -138,7 +138,8 @@ c:a,b     ipv6</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
+              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              role="bold">ipsec6</emphasis>)</term>

              <listitem>
                <para>Communication with all zone hosts is encrypted. Your
@ -160,7 +161,8 @@ c:a,b     ipv6</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>bport (or bport6)</term>
+              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              role="bold">bport6</emphasis>)</term>

              <listitem>
                <para>The zone is associated with one or more ports on a
Author	SHA1	Message	Date
Tom Eastep	4f9987d831	Fix obscure bug with multiple addresses in masq	2009-09-29 08:37:37 -05:00
Tom Eastep	9e4042ab0f	Formatting in zones manpage	2009-09-11 10:48:00 -07:00
Tom Eastep	d09f5faf8c	Formatting in zones manpage	2009-09-11 10:46:33 -07:00
Tom Eastep	6fe4b2f2e8	Apply Jesse Shrieve's SNAT patch	2009-09-11 07:52:07 -07:00
Tom Eastep	5160608a65	Process routestopped file during 'check' -- update release files	2009-09-03 19:40:34 -07:00
Tom Eastep	dc06ca633a	Process routestopped file during 'check'	2009-09-03 19:37:40 -07:00
Tom Eastep	084628289c	4.4.1.2	2009-09-03 15:45:16 -07:00
Tom Eastep	e2ed8113a3	Fixes to 4.4.1	2009-09-03 14:33:46 -07:00
Tom Eastep	b6190038ab	Prepare for 4.4.1.1	2009-09-03 08:37:04 -07:00