Compare commits

...

40 Commits

Author SHA1 Message Date
Tom Eastep
d4cacefc58 Document fix for IPSET_MATCH detection.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-19 13:35:16 -07:00
Tom Eastep
94dbfff034 Be sure to detect IPSET_MATCH before OLD_IPSET_MATCH.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-19 13:29:35 -07:00
Tom Eastep
68199083fe Correct version when :<burst> was added 2011-06-17 13:14:48 -07:00
Tom Eastep
d5c9da2257 Remove some whitespace 2011-06-16 16:46:00 -07:00
Tom Eastep
25994d85a5 Correct spelling error in shorewall6-interfaces(5)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-15 14:00:07 -07:00
Tom Eastep
cca0ae25a9 Initiate 4.4.20.4
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-15 13:36:29 -07:00
Tom Eastep
5ddc7b5f2a Document CONFIG_PATH search with AUTOMAKE.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-15 13:30:17 -07:00
Tom Eastep
3c80439a39 Update known problems with problems corrected in 4.4.20.3
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-15 13:28:16 -07:00
Tom Eastep
dd16805fa8 Have AUTOMAKE follow CONFIG_PATH
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-15 13:25:12 -07:00
Tom Eastep
1b5207861d Odd capitalization to make annotate.pl work
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-14 07:40:07 -07:00
Tom Eastep
cb701795f1 Update release notes.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-14 07:18:07 -07:00
Tom Eastep
7ee8e2eb03 Don't generate INPUT hairpin rules
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-14 07:17:57 -07:00
Tom Eastep
f04321592c Document wildcard interface sfilter exemption.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-14 06:51:17 -07:00
Tom Eastep
4d08ad0eea Exempt wildcard interfaces from sfilter
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-14 06:46:02 -07:00
Tom Eastep
fb8f66af61 Apply Tuomo's patch for the .conf manpages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-13 07:04:07 -07:00
Tom Eastep
73b9198d6d Quell compiler warnings from Perl 5.14.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-13 06:39:38 -07:00
Tom Eastep
5d8e6ac6d3 Version to .3 2011-06-12 15:41:48 -07:00
Tom Eastep
9e913e77e9 Document dropping of deprecated options 2011-06-12 14:00:21 -07:00
Tom Eastep
fa2e2807d4 Delete deprecated options from the .conf files
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-12 13:47:19 -07:00
Tom Eastep
156f1bcc7d Apply Tuomo Soini's patch
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-12 07:23:05 -07:00
Tom Eastep
a82c3f1471 Improvements to interfaces manpages
- Indicate when 'routefilter' cannot be used.
- Clarify use of 'sfilter'

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-11 06:42:03 -07:00
Tom Eastep
c5aa17017d Make zones with multiple interfaces complex
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-10 13:00:58 -07:00
Tom Eastep
051f09c35d Set the interface routeback option if there are any IP host groups with 'routeback'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-10 10:29:21 -07:00
Tom Eastep
c633cb2743 Correct manpages: filter->sfilter
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-10 06:04:11 -07:00
Tom Eastep
60b8e92dc1 Don't leave unused sfilter chains in the config
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-09 17:09:53 -07:00
Tom Eastep
f5bda84e79 Couple of tweaks 2011-06-09 16:54:32 -07:00
Tom Eastep
76e68bd04b Jump (don't go) to sfilter1
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-09 14:15:29 -07:00
Tom Eastep
41a500c342 Update release docs
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-09 13:59:36 -07:00
Tom Eastep
e76835504b Don't move rules from a chain with references
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-09 13:35:49 -07:00
Tom Eastep
251da23cb5 Fix FORWARD with ipsec dest
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-09 09:57:45 -07:00
Tom Eastep
6a04e242ac Update release docs
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-09 07:41:02 -07:00
Tom Eastep
fe0bedacfc Exempt ipsec from sfilter
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-09 07:40:40 -07:00
Tom Eastep
4ce751469b Correct typo in the shorewall-providers manpage
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-08 14:38:18 -07:00
Tom Eastep
94cdf24c7f Improve wording in release notes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-08 11:03:47 -07:00
Tom Eastep
b0c47d4f47 Document application of sfilters to INPUT traffic.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-08 11:02:39 -07:00
Tom Eastep
6f3f49e45a Apply sfilter to INPUT as well as FORWARD
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-08 09:41:11 -07:00
Tom Eastep
78004dae80 Update known problems and release notes 2011-06-07 16:58:44 -07:00
Tom Eastep
57398c683a Initiate 4.4.20.2
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-07 13:23:27 -07:00
Tom Eastep
deb7d92ded Correct sfq handle assignment
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-07 13:23:12 -07:00
Tom Eastep
e69f22725f Add fix inadvertently dropped from 4.4.19.4
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-07 12:50:24 -07:00
45 changed files with 400 additions and 164 deletions

View File

@ -29,8 +29,6 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
@ -39,8 +37,6 @@ LOGTAGONLY=No
LOGLIMIT= LOGLIMIT=
LOGRATE=
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info
@ -134,8 +130,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=Yes FASTACCEPT=Yes
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -40,8 +40,6 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
@ -50,8 +48,6 @@ LOGTAGONLY=No
LOGLIMIT= LOGLIMIT=
LOGRATE=
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info
@ -145,8 +141,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -38,8 +38,6 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
@ -48,8 +46,6 @@ LOGTAGONLY=No
LOGLIMIT= LOGLIMIT=
LOGRATE=
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info
@ -143,8 +139,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -41,8 +41,6 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
@ -51,8 +49,6 @@ LOGTAGONLY=No
LOGLIMIT= LOGLIMIT=
LOGRATE=
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info
@ -146,8 +142,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -28,16 +28,12 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE= LOGFILE=
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
LOGLIMIT= LOGLIMIT=
LOGRATE=
LOGTAGONLY=No LOGTAGONLY=No
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=Yes FASTACCEPT=Yes
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -28,16 +28,12 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE= LOGFILE=
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
LOGLIMIT= LOGLIMIT=
LOGRATE=
LOGTAGONLY=No LOGTAGONLY=No
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
@ -125,8 +121,6 @@ EXPAND_POLICIES=No
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -28,16 +28,12 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
LOGLIMIT= LOGLIMIT=
LOGRATE=
LOGTAGONLY=No LOGTAGONLY=No
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -28,16 +28,12 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
LOGLIMIT= LOGLIMIT=
LOGRATE=
LOGTAGONLY=No LOGTAGONLY=No
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
@ -125,8 +121,6 @@ EXPAND_POLICIES=No
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-init %define name shorewall-init
%define version 4.4.20 %define version 4.4.20
%define release 1 %define release 4
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
Name: %{name} Name: %{name}
@ -119,6 +119,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-4
* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-3
* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-2
* Mon Jun 06 2011 Tom Eastep tom@shorewall.net * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-1 - Updated to 4.4.20-1
* Tue May 31 2011 Tom Eastep tom@shorewall.net * Tue May 31 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall-lite %define name shorewall-lite
%define version 4.4.20 %define version 4.4.20
%define release 1 %define release 4
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -103,6 +103,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-4
* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-3
* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-2
* Mon Jun 06 2011 Tom Eastep tom@shorewall.net * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-1 - Updated to 4.4.20-1
* Tue May 31 2011 Tom Eastep tom@shorewall.net * Tue May 31 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1026,6 +1026,10 @@ sub use_forward_chain($$) {
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 ); return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
# #
# Use it if we already have jumps to it
#
return 1 if keys %{$chainref->{references}};
#
# We must use the interfaces's chain if the interface is associated with multiple zones # We must use the interfaces's chain if the interface is associated with multiple zones
# #
return 1 if ( keys %{interface_zones $interface} ) > 1; return 1 if ( keys %{interface_zones $interface} ) > 1;
@ -1592,24 +1596,24 @@ sub initialize_chain_table($) {
'DEL' => STANDARD + SET, 'DEL' => STANDARD + SET,
); );
for my $chain qw(OUTPUT PREROUTING) { for my $chain ( qw(OUTPUT PREROUTING) ) {
new_builtin_chain 'raw', $chain, 'ACCEPT'; new_builtin_chain 'raw', $chain, 'ACCEPT';
} }
for my $chain qw(INPUT OUTPUT FORWARD) { for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
new_builtin_chain 'filter', $chain, 'DROP'; new_builtin_chain 'filter', $chain, 'DROP';
} }
for my $chain qw(PREROUTING POSTROUTING OUTPUT) { for my $chain ( qw(PREROUTING POSTROUTING OUTPUT) ) {
new_builtin_chain 'nat', $chain, 'ACCEPT'; new_builtin_chain 'nat', $chain, 'ACCEPT';
} }
for my $chain qw(PREROUTING INPUT OUTPUT ) { for my $chain ( qw(PREROUTING INPUT OUTPUT ) ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
if ( have_capability( 'MANGLE_FORWARD' ) ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
for my $chain qw( FORWARD POSTROUTING ) { for my $chain ( qw( FORWARD POSTROUTING ) ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
} }
@ -1635,19 +1639,19 @@ sub initialize_chain_table($) {
'DEL' => STANDARD + SET, 'DEL' => STANDARD + SET,
); );
for my $chain qw(OUTPUT PREROUTING) { for my $chain ( qw(OUTPUT PREROUTING) ) {
new_builtin_chain 'raw', $chain, 'ACCEPT'; new_builtin_chain 'raw', $chain, 'ACCEPT';
} }
for my $chain qw(INPUT OUTPUT FORWARD) { for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
new_builtin_chain 'filter', $chain, 'DROP'; new_builtin_chain 'filter', $chain, 'DROP';
} }
for my $chain qw(PREROUTING POSTROUTING OUTPUT) { for my $chain ( qw(PREROUTING POSTROUTING OUTPUT) ) {
new_builtin_chain 'nat', $chain, 'ACCEPT'; new_builtin_chain 'nat', $chain, 'ACCEPT';
} }
for my $chain qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) { for my $chain ( qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
} }
@ -2884,6 +2888,8 @@ sub get_set_flags( $$ ) {
my ( $setname, $option ) = @_; my ( $setname, $option ) = @_;
my $options = $option; my $options = $option;
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
$ipset_rules++; $ipset_rules++;
$setname =~ s/^!//; # Caller has already taken care of leading ! $setname =~ s/^!//; # Caller has already taken care of leading !
@ -2982,7 +2988,6 @@ sub match_source_net( $;$\$ ) {
} }
if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) { if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
} }
@ -3032,7 +3037,6 @@ sub match_dest_net( $ ) {
} }
if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) { if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
} }
@ -4830,7 +4834,7 @@ sub create_chainlist_reload($) {
enter_cat_mode; enter_cat_mode;
for $table qw(raw nat mangle filter) { for $table ( qw(raw nat mangle filter) ) {
my $tableref=$chains{$table}; my $tableref=$chains{$table};
next unless $tableref; next unless $tableref;

View File

@ -108,7 +108,7 @@ sub generate_script_1( $ ) {
################################################################################ ################################################################################
EOF EOF
for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ { for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
emit "\nrun_${exit}_exit() {"; emit "\nrun_${exit}_exit() {";
push_indent; push_indent;
append_file $exit or emit 'true'; append_file $exit or emit 'true';
@ -116,7 +116,7 @@ EOF
emit '}'; emit '}';
} }
for my $exit qw/isusable findgw/ { for my $exit ( qw/isusable findgw/ ) {
emit "\nrun_${exit}_exit() {"; emit "\nrun_${exit}_exit() {";
push_indent; push_indent;
append_file($exit, 1) or emit 'true'; append_file($exit, 1) or emit 'true';

View File

@ -420,7 +420,7 @@ sub initialize( $ ) {
EXPORT => 0, EXPORT => 0,
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.20.1", VERSION => "4.4.20.4",
CAPVERSION => 40417 , CAPVERSION => 40417 ,
); );
# #
@ -3474,7 +3474,7 @@ sub get_configuration( $ ) {
fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} if $config{IPSECFILE} eq 'ipsec'; fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} if $config{IPSECFILE} eq 'ipsec';
fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones'; fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones';
for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ { for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
$config{$default} = 'none' if "\L$config{$default}" eq 'none'; $config{$default} = 'none' if "\L$config{$default}" eq 'none';
} }
@ -3679,7 +3679,7 @@ sub generate_aux_config() {
emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#"; emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) { for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
conditionally_add_option $option; conditionally_add_option $option;
} }

View File

@ -477,6 +477,7 @@ sub add_common_rules() {
my $interface; my $interface;
my $chainref; my $chainref;
my $target; my $target;
my $target1;
my $rule; my $rule;
my $list; my $list;
my $chain; my $chain;
@ -496,15 +497,14 @@ sub add_common_rules() {
setup_mss; setup_mss;
if ( $config{FASTACCEPT} ) { add_rule( $filter_table->{OUTPUT} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) if ( $config{FASTACCEPT} );
add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT );
}
my $policy = $config{SFILTER_DISPOSITION}; my $policy = $config{SFILTER_DISPOSITION};
$level = $config{SFILTER_LOG_LEVEL}; $level = $config{SFILTER_LOG_LEVEL};
my $audit = $policy =~ s/^A_//; my $audit = $policy =~ s/^A_//;
my $ipsec = have_ipsec ? '-m policy --pol none --dir in ' : '';
if ( $level || $audit ) { if ( $level || $audit || $ipsec ) {
$chainref = new_standard_chain 'sfilter'; $chainref = new_standard_chain 'sfilter';
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
@ -514,10 +514,26 @@ sub add_common_rules() {
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1; add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
$target = 'sfilter'; $target = 'sfilter';
if ( $ipsec ) {
$chainref = new_standard_chain 'sfilter1';
add_rule ( $chainref, '-m policy --pol ipsec --dir out -j RETURN' );
log_rule $level , $chainref , $policy , '' if $level ne '';
add_rule( $chainref, '-j AUDIT --type ' . lc $policy ) if $audit;
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
$target1 = 'sfilter1';
}
} elsif ( ( $target = $policy ) eq 'REJECT' ) { } elsif ( ( $target = $policy ) eq 'REJECT' ) {
$target = 'reject'; $target = 'reject';
} }
$target1 = $target unless $target1;
for $interface ( grep $_ ne '%vserver%', all_interfaces ) { for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ); ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
@ -530,21 +546,34 @@ sub add_common_rules() {
$chainref = $filter_table->{forward_chain $interface}; $chainref = $filter_table->{forward_chain $interface};
if ( @filters ) { if ( @filters ) {
add_jump( $chainref , $target, 1, match_source_net( $_ ) ), $chainref->{filtered}++ for @filters; add_jump( $chainref , $target1, ! $ipsec, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++ for @filters;
} elsif ( $interfaceref->{bridge} eq $interface ) { } elsif ( $interfaceref->{bridge} eq $interface ) {
add_jump( $chainref , $target, 1, match_dest_dev( $interface ) ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter}; add_jump( $chainref , $target1, ! $ipsec, match_dest_dev( $interface ) . $ipsec ), $chainref->{filtered}++
unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter} || $interfaceref->{physical} eq '+';
} }
add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT}; add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT};
add_jump( $chainref, $dynamicref, 0, $state ), $chainref->{filtered}++ if $dynamicref; add_jump( $chainref, $dynamicref, 0, $state ), $chainref->{filtered}++ if $dynamicref;
$chainref = $filter_table->{input_chain $interface};
if ( @filters ) {
add_jump( $chainref , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++ for @filters;
}
add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT};
add_jump( $chainref, $dynamicref, 0, $state ), $chainref->{filtered}++ if $dynamicref;
} }
} }
# #
# Delete 'sfilter' chain unless there are referenced to it # Delete 'sfilter' chains unless there are referenced to them
# #
$chainref->{referenced} = 0 unless keys %{($chainref = $filter_table->{sfilter})->{references}}; for ( qw/sfilter sfilter1/ ) {
if ( $chainref = $filter_table->{$_} ) {
$chainref->{referenced} = 0 unless keys %{$chainref->{references}};
}
}
run_user_exit1 'initdone'; run_user_exit1 'initdone';
@ -1796,7 +1825,7 @@ sub generate_matrix() {
} }
if ( $config{LOGALLNEW} ) { if ( $config{LOGALLNEW} ) {
for my $table qw/mangle nat filter/ { for my $table ( qw/mangle nat filter/ ) {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
log_rule_limit log_rule_limit
$config{LOGALLNEW} , $config{LOGALLNEW} ,

View File

@ -460,7 +460,7 @@ sub process_policies()
my $firewall = firewall_zone; my $firewall = firewall_zone;
our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' ); our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) { for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
my $action = $config{$option}; my $action = $config{$option};
next if $action eq 'none'; next if $action eq 'none';
my $actiontype = $targets{$action}; my $actiontype = $targets{$action};

View File

@ -1309,6 +1309,13 @@ sub process_tc_priority() {
return; return;
} }
fatal_error "Invalid tcpri entry" if ( $proto eq '-' &&
$ports eq '-' &&
$address eq '-' &&
$interface eq '-' &&
$helper eq '-' );
my $val = numeric_value $band; my $val = numeric_value $band;
fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3; fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@ -1402,7 +1409,7 @@ sub setup_traffic_shaping() {
validate_tc_device while read_a_line; validate_tc_device while read_a_line;
} }
my $sfq = $devnum; my $sfq = 0;
my $sfqinhex; my $sfqinhex;
$devnum = $devnum > 10 ? 10 : 1; $devnum = $devnum > 10 ? 10 : 1;
@ -1546,7 +1553,9 @@ sub setup_traffic_shaping() {
} }
if ( $tcref->{leaf} && ! $tcref->{pfifo} ) { if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
$sfqinhex = in_hexp( ++$sfq); 1 while $devnums[++$sfq];
$sfqinhex = in_hexp( $sfq);
if ( $devref->{qdisc} eq 'htb' ) { if ( $devref->{qdisc} eq 'htb' ) {
emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ); emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
} else { } else {

View File

@ -745,6 +745,8 @@ sub add_group_to_zone($$$$$)
hosts => \@newnetworks, hosts => \@newnetworks,
ipsec => $type == IPSEC ? 'ipsec' : 'none' , ipsec => $type == IPSEC ? 'ipsec' : 'none' ,
exclusions => \@exclusions }; exclusions => \@exclusions };
$interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
} }
# #
@ -1059,10 +1061,7 @@ sub process_interface( $$ ) {
# #
$hostoptions{broadcast} = 1; $hostoptions{broadcast} = 1;
} elsif ( $option eq 'sfilter' ) { } elsif ( $option eq 'sfilter' ) {
warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
$filterref = [ split_list $value, 'address' ]; $filterref = [ split_list $value, 'address' ];
validate_net( $_, 1) for @{$filterref} validate_net( $_, 1) for @{$filterref}
} else { } else {
assert(0); assert(0);
@ -1835,6 +1834,8 @@ sub validate_hosts_file()
$have_ipsec = $ipsec || haveipseczones; $have_ipsec = $ipsec || haveipseczones;
$_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
} }
# #

View File

@ -1,3 +1,27 @@
Changes in Shorewall 4.4.20.4
1) Have AUTOMAKE follow CONFIG_PATH
2) Be sure to detect IPSET_MATCH before OLD_IPSET_MATCH.
Changes in Shorewall 4.4.20.3
1) Remove deprecated options from the .conf files.
2) Exempt wildcard interfaces from sfilter.
Changes in Shorewall 4.4.20.2
1) Reject degenerate tcpri entries.
2) Correct tc defect.
3) Apply sfilters to INPUT traffic.
4) Exclude ipsec traffic from sfilter.
5) Fix an interesting defect.
Changes in Shorewall 4.4.20.1 Changes in Shorewall 4.4.20.1
1) Corrected FSF address. 1) Corrected FSF address.

View File

@ -6,6 +6,6 @@
# The manpage is also online at # The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html # http://www.shorewall.net/manpages/shorewall-masq.html
# #
############################################################################### #############################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP # GROUP

View File

@ -29,14 +29,10 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
LOGRATE=
LOGTAGONLY=No LOGTAGONLY=No
LOGLIMIT= LOGLIMIT=
@ -134,8 +130,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK= FORWARD_CLEAR_MARK=

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,4 +1,70 @@
1) On systems running Upstart, shorewall-init cannot reliably secure 1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up. the firewall before interfaces are brought up.
2) The 4.4.20 Shorewall6 installer always installs the 'plain'
(unannotated) version of shorewall6.conf, regardless of the '-p'
option.
Corrected in 4.4.20.1
3) Fixed item 1 from 4.4.19.4 was inadvertently omitted from
4.4.20.
Corrected in 4.4.20.2
2) A defect introduced in 4.4.20 can cause the following failure at
start/restart:
ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1:
sfq quantum 12498 limit 127 perturb 10" failed
The error occurs when explicit interface numbers are assigned in
/etc/shorewall/tcdevices and the default HTB queuing discipline is
used.
Corrected in 4.4.20.2
3) The 'sfilter' interface option introduced in 4.4.20 is not applied
to traffic addressed to the firewall itself.
Corrected in 4.4.20.2
4) IPSEC traffic is incorrectly included in the rules generated by
sfiltering.
Corrected in 4.4.20.2
5) Shorewall 4.4.20 can, under some circumstances, fail during
iptables-restore with a message such as the following:
iptables-restore v1.4.10: Couldn't load target
`dsl0_fwd':/usr/lib/xtables/libipt_dsl0_fwd.so: cannot open shared object
file: No such file or directory
Error occurred at line: 113
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Corrected in 4.4.20.2
6) The following extraneous warning message may be ignored:
WARNING: sfilter is ineffective with FASTACCEPT=Yes
Corrected in 4.4.20.2
7) A simple configuration like the 'Universal' sample that includes a
single wildcard interface ('+' in the INTERFACE column) produces a
ruleset that blocks all incoming packets.
Workaround: Add the 'routeback' option to the entry in
/etc/shorewall/interfaces.
Corrected in 4.4.20.3
8) AUTOMAKE only searches /etc/shorewall[6] for files newer than the
current compiled script (/var/lib/shorewall[6]/firewall) and not
the entire CONFIG_PATH.

View File

@ -1,5 +1,5 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 20 . 1 S H O R E W A L L 4 . 4 . 20 . 3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE I. PROBLEMS CORRECTED IN THIS RELEASE
@ -12,6 +12,64 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
4.4.20.4
1) Previously, AUTOMAKE only searched /etc/shorewall[6] for files
newer than the current compiled script
(/var/lib/shorewall[6]/firewall). Now it searches the entire
CONFIG_PATH for such files.
2) With LOAD_HELPERS_ONLY=Yes, the compiler could use the deprectated
--set parameter to the ipset match when --match-set was
appropriate.
4.4.20.3
1) Deprecated options have been removed from the .conf files.
They remain in the man pages.
2) A simple configuration like the 'Universal' sample that includes a
single wildcard interface ('+' in the INTERFACE column) produces a
ruleset that blocks all incoming packets.
As part of correcting this defect, which was introduced in
4.4.20.2, one or more superfluous rules (which could never match)
have been eliminated from most configurations.
4.4.20.2
1) Problem Corrected #1 from 4.4.19.4 was inadvertently omitted from
4.4.20. It is now included.
2) A defect introduced in 4.4.20 could cause the following failure at
start/restart:
ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1:
sfq quantum 12498 limit 127 perturb 10" failed
3) The 'sfilter' interface option introduced in 4.4.20 was only
applied to forwarded traffic. Now it is also applied to traffic
addressed to the firewall itself.
4) IPSEC traffic is now (correctly) excluded from sfilter.
5) Shorewall 4.4.20 could, under some circumstances, fail during
iptables-restore with a message such as the following:
iptables-restore v1.4.10: Couldn't load target
`dsl0_fwd':/usr/lib/xtables/libipt_dsl0_fwd.so: cannot open shared object
file: No such file or directory
Error occurred at line: 113
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
6) The following incorrect warning message has been eliminated:
WARNING: sfilter is ineffective with FASTACCEPT=Yes
4.4.20.1 4.4.20.1

View File

@ -330,7 +330,24 @@ startup_error() {
# Determine if there are config files newer than the passed object # Determine if there are config files newer than the passed object
# #
uptodate() { uptodate() {
[ -f $1 ] && [ -z "$(find ${CONFDIR} -newer $1)" ] [ -f $1 ] || return 1
local dir
local ifs
ifs="$IFS"
IFS=':'
for dir in $CONFIG_PATH; do
if [ -n "$(find ${dir} -newer $1)" ]; then
IFS="$ifs"
return 1;
fi
done
IFS="$ifs"
return 0
} }
# #

View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 4.4.20 %define version 4.4.20
%define release 1 %define release 4
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -111,6 +111,12 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog %changelog
* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-4
* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-3
* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-2
* Mon Jun 06 2011 Tom Eastep tom@shorewall.net * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-1 - Updated to 4.4.20-1
* Tue May 31 2011 Tom Eastep tom@shorewall.net * Tue May 31 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -1,6 +1,6 @@
%define name shorewall6-lite %define name shorewall6-lite
%define version 4.4.20 %define version 4.4.20
%define release 1 %define release 4
Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -94,6 +94,12 @@ fi
%doc COPYING changelog.txt releasenotes.txt %doc COPYING changelog.txt releasenotes.txt
%changelog %changelog
* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-4
* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-3
* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-2
* Mon Jun 06 2011 Tom Eastep tom@shorewall.net * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-1 - Updated to 4.4.20-1
* Tue May 31 2011 Tom Eastep tom@shorewall.net * Tue May 31 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -28,16 +28,12 @@ LOG_VERBOSITY=2
LOGALLNEW= LOGALLNEW=
LOGBURST=
LOGFILE=/var/log/messages LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
LOGLIMIT= LOGLIMIT=
LOGRATE=
LOGTAGONLY=No LOGTAGONLY=No
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
EXPORTPARAMS=No
FASTACCEPT=No FASTACCEPT=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=Yes

View File

@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# #
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -330,7 +330,24 @@ startup_error() {
# Determine if there are config files newer than the passed object # Determine if there are config files newer than the passed object
# #
uptodate() { uptodate() {
[ -f $1 ] && [ -z "$(find ${CONFDIR} -newer $1)" ] [ -f $1 ] || return 1
local dir
local ifs
ifs="$IFS"
IFS=':'
for dir in $CONFIG_PATH; do
if [ -n "$(find ${dir} -newer $1)" ]; then
IFS="$ifs"
return 1;
fi
done
IFS="$ifs"
return 0
} }
# #

View File

@ -1,6 +1,6 @@
%define name shorewall6 %define name shorewall6
%define version 4.4.20 %define version 4.4.20
%define release 1 %define release 4
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems. Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
Name: %{name} Name: %{name}
@ -101,6 +101,12 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
%changelog %changelog
* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-4
* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-3
* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-2
* Mon Jun 06 2011 Tom Eastep tom@shorewall.net * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-1 - Updated to 4.4.20-1
* Tue May 31 2011 Tom Eastep tom@shorewall.net * Tue May 31 2011 Tom Eastep tom@shorewall.net

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall # shown below. Simply run this script to remove Shorewall Firewall
VERSION=4.4.20.1 VERSION=4.4.20.4
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -312,18 +312,6 @@ loc eth2 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>filter=(<emphasis>net</emphasis>[,...])</term>
<listitem>
<para>Added in Shorewall 4.4.20. This option should be used on
bridges or other interfaces with the
<option>routeback</option> option. On these interfaces, it
should list those local networks that are not routed out of
the bridge or interface.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">logmartians[={0|1}]</emphasis></term> role="bold">logmartians[={0|1}]</emphasis></term>
@ -564,6 +552,49 @@ loc eth2 -</programlisting>
<para>This option can also be enabled globally in the <ulink <para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para> file.</para>
<note>
<para>There are certain cases where
<option>routefilter</option> cannot be used on an
interface:</para>
<itemizedlist>
<listitem>
<para>If USE_DEFAULT_RT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) and
the interface is listed in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>
<listitem>
<para>If there is an entry for the interface in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5)
that doesn't specify the <option>balance</option>
option.</para>
</listitem>
<listitem>
<para>If IPSEC is used to allow a road-warrior to have a
local address, then any interface through which the
road-warrior might connect cannot specify
<option>routefilter</option>.</para>
</listitem>
</itemizedlist>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>sfilter=(<emphasis>net</emphasis>[,...])</term>
<listitem>
<para>Added in Shorewall 4.4.20. This option provides an
anti-spoofing alternative to <option>routefilter</option> on
interfaces where that option cannot be used, but where the
<option>routeback</option> option is required (on a bridge,
for example). On these interfaces, <option>sfilter</option>
should list those local networks that are connected to the
firewall through other interfaces.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -166,7 +166,7 @@
<para>Beginning with Shorewall 4.4.3, <option>track</option> <para>Beginning with Shorewall 4.4.3, <option>track</option>
defaults to the setting of the TRACK_PROVIDERS option in defaults to the setting of the TRACK_PROVIDERS option in
<ulink url="shorwewall.conf.html">shorewall.conf</ulink> (5). <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
If you set TRACK_PROVIDERS=Yes and want to override that If you set TRACK_PROVIDERS=Yes and want to override that
setting for an individual provider, then specify setting for an individual provider, then specify
<option>notrack</option> (see below).</para> <option>notrack</option> (see below).</para>
@ -340,12 +340,13 @@
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para> url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

View File

@ -137,7 +137,7 @@
qdisc.Must be set to zero if the REDIRECTED INTERFACES column is qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
non-empty.</para> non-empty.</para>
<para>The optional burst option was added in Shorewall 4.4.13. The <para>The optional burst option was added in Shorewall 4.4.18. The
default <replaceable>burst</replaceable> is 10kb. A larger default <replaceable>burst</replaceable> is 10kb. A larger
<replaceable>burst</replaceable> can help make the <replaceable>burst</replaceable> can help make the
<replaceable>bandwidth</replaceable> more accurate; often for fast <replaceable>bandwidth</replaceable> more accurate; often for fast

View File

@ -576,10 +576,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<varlistentry> <varlistentry>
<term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis <term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>} role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
(Deprecated beginning with Shorewall 4.4.17)</term>
<listitem> <listitem>
<para>Deprecated in Shorewall 4.4.17.</para>
<para>Beginning with Shorewall 4.4.17, the variables set in the <para>Beginning with Shorewall 4.4.17, the variables set in the
'params' file at compile time are available at run time with 'params' file at compile time are available at run time with
EXPORTPARAMS=No. As a consequence, beginning with that version the EXPORTPARAMS=No. As a consequence, beginning with that version the
@ -965,10 +966,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<important> <important>
<para>To help insure that all packets in the NEW state are <para>To help insure that all packets in the NEW state are
logged, rate limiting (LOGBURST and LOGRATE) should be disabled logged, rate limiting (LOGLIMIT or deprecated options LOGBURST
when using LOGALLNEW. Use LOGALLNEW at your own risk; it may and LOGRATE) should be disabled when using LOGALLNEW. Use
cause high CPU and disk utilization and you may not be able to LOGALLNEW at your own risk; it may cause high CPU and disk
control your firewall after you enable this option.</para> utilization and you may not be able to control your firewall
after you enable this option.</para>
</important> </important>
<para></para> <para></para>
@ -1054,7 +1056,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term> role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
<listitem> <listitem>
<para></para> <para>Deprecated in Shorewall 4.4.12.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -204,18 +204,6 @@ loc eth2 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>filter=(<emphasis>net</emphasis>[,...])</term>
<listitem>
<para>Added in Shorewall 4.4.20. This option should be used on
bridges or other interfaces with the
<option>routeback</option> option. On these interfaces, it
should list those local networks that are not routed out of
the bridge or interface.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">forward</emphasis>[={0|1}]</term> <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
@ -349,6 +337,23 @@ loc eth2 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>sfilter=(<emphasis>net</emphasis>[,...])</term>
<listitem>
<para>Added in Shorewall 4.4.20. At this writing (spring
2011), Linux does not support reverse path filtering (RFC3704)
for IPv6. In its absence, <option>sfilter</option> may be used
as an anti-spoofing measure.</para>
<para>This option should be used on bridges or other
interfaces with the <option>routeback</option> option. On
these interfaces, <option>sfilter</option> should list those
local networks that are connected to the firewall through
other interfaces.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term> <term><emphasis role="bold">tcpflags</emphasis></term>

View File

@ -138,7 +138,7 @@
qdisc.Must be set to zero if the REDIRECTED INTERFACES column is qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
non-empty.</para> non-empty.</para>
<para>The optional burst option was added in Shorewall6 4.4.13. The <para>The optional burst option was added in Shorewall6 4.4.18. The
default <replaceable>burst</replaceable> is 10kb. A larger default <replaceable>burst</replaceable> is 10kb. A larger
<replaceable>burst</replaceable> can help make the <replaceable>burst</replaceable> can help make the
<replaceable>bandwidth</replaceable> more accurate; often for fast <replaceable>bandwidth</replaceable> more accurate; often for fast

View File

@ -499,10 +499,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<varlistentry> <varlistentry>
<term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis <term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>} role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
(Deprecated beginning with Shorewall 4.4.17)</term>
<listitem> <listitem>
<para>Deprecated beginning with Shorewall 4.4.17.</para>
<para>Beginning with Shorewall 4.4.17, the variables set in the <para>Beginning with Shorewall 4.4.17, the variables set in the
'params' file at compile time are available at run time with 'params' file at compile time are available at run time with
EXPORTPARAMS=No. As a consequence, beginning with that version the EXPORTPARAMS=No. As a consequence, beginning with that version the
@ -842,10 +843,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<important> <important>
<para>To help insure that all packets in the NEW state are <para>To help insure that all packets in the NEW state are
logged, rate limiting (LOGBURST and LOGRATE) should be disabled logged, rate limiting (LOGLIMIT or deprecated options LOGBURST
when using LOGALLNEW. Use LOGALLNEW at your own risk; it may and LOGRATE) should be disabled when using LOGALLNEW. Use
cause high CPU and disk utilization and you may not be able to LOGALLNEW at your own risk; it may cause high CPU and disk
control your firewall after you enable this option.</para> utilization and you may not be able to control your firewall
after you enable this option.</para>
</important> </important>
<para></para> <para></para>
@ -930,7 +932,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term> role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
<listitem> <listitem>
<para></para> <para>Deprecated in Shorewall 4.4.12.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -942,7 +944,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem> <listitem>
<para>As of Shorewall 4.4.12, these parameters are <para>As of Shorewall 4.4.12, these parameters are
deprecated.</para> Deprecated.</para>
<para>These parameters set the match rate and initial burst size for <para>These parameters set the match rate and initial burst size for
logged packets. Please see ip6tables(8) for a description of the logged packets. Please see ip6tables(8) for a description of the