diff -Naur shorewall-3.4.4/Samples/one-interface/interfaces shorewall-3.4.5/Samples/one-interface/interfaces --- shorewall-3.4.4/Samples/one-interface/interfaces 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/one-interface/interfaces 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Interfaces File for one-interface configuration. +# Shorewall version 4.0 - Sample Interfaces File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/Samples/one-interface/policy shorewall-3.4.5/Samples/one-interface/policy --- shorewall-3.4.4/Samples/one-interface/policy 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/one-interface/policy 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Policy File for one-interface configuration. +# Shorewall version 4.0 - Sample Policy File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/Samples/one-interface/rules shorewall-3.4.5/Samples/one-interface/rules --- shorewall-3.4.4/Samples/one-interface/rules 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/one-interface/rules 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Rules File for one-interface configuration. +# Shorewall version 4.0 - Sample Rules File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -14,7 +14,7 @@ # For more information, see http://www.shorewall.net/Documentation.htm#Zones # ############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. diff -Naur shorewall-3.4.4/Samples/one-interface/shorewall.conf shorewall-3.4.5/Samples/one-interface/shorewall.conf --- shorewall-3.4.4/Samples/one-interface/shorewall.conf 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/one-interface/shorewall.conf 2007-07-03 13:32:01.000000000 -0700 @@ -27,6 +27,13 @@ VERBOSITY=1 ############################################################################### +# C O M P I L E R +# (setting this to 'perl' requires installation of Shorewall-perl) +############################################################################### + +SHOREWALL_COMPILER= + +############################################################################### # L O G G I N G ############################################################################### @@ -74,6 +81,8 @@ IPSECFILE=zones +LOCKFILE= + ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### @@ -84,6 +93,13 @@ QUEUE_DEFAULT="none" ############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RSH_COMMAND='ssh ${root}@${system} ${command}' +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' + +############################################################################### # F I R E W A L L O P T I O N S ############################################################################### diff -Naur shorewall-3.4.4/Samples/one-interface/zones shorewall-3.4.5/Samples/one-interface/zones --- shorewall-3.4.4/Samples/one-interface/zones 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/one-interface/zones 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Zones File for one-interface configuration. +# Shorewall version 4.0 - Sample Zones File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/Samples/three-interfaces/interfaces shorewall-3.4.5/Samples/three-interfaces/interfaces --- shorewall-3.4.4/Samples/three-interfaces/interfaces 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/three-interfaces/interfaces 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Interfaces File for three-interface configuration. +# Shorewall version 4.0 - Sample Interfaces File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -17,6 +17,6 @@ ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians -loc eth1 detect tcpflags,detectnets,nosmurfs +loc eth1 detect tcpflags,nosmurfs dmz eth2 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff -Naur shorewall-3.4.4/Samples/three-interfaces/masq shorewall-3.4.5/Samples/three-interfaces/masq --- shorewall-3.4.4/Samples/three-interfaces/masq 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/three-interfaces/masq 2007-07-03 13:32:01.000000000 -0700 @@ -1,6 +1,6 @@ # # Shorewall version 3.4 - Sample Masq file for three-interface configuration. -# Copyright (C) 2006 by the Shorewall Team +# Copyright (C) 2006,2007 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -14,7 +14,7 @@ # For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################## -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC MARK eth0 eth1 eth0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff -Naur shorewall-3.4.4/Samples/three-interfaces/routestopped shorewall-3.4.5/Samples/three-interfaces/routestopped --- shorewall-3.4.4/Samples/three-interfaces/routestopped 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/three-interfaces/routestopped 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Routestopped File for three-interface configuration. +# Shorewall version 4.0 - Sample Routestopped File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/Samples/three-interfaces/rules shorewall-3.4.5/Samples/three-interfaces/rules --- shorewall-3.4.4/Samples/three-interfaces/rules 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/three-interfaces/rules 2007-07-03 13:32:01.000000000 -0700 @@ -1,6 +1,6 @@ # -# Shorewall version 3.4 - Sample Rules File for three-interface configuration. -# Copyright (C) 2006 by the Shorewall Team +# Shorewall version 4.0 - Sample Rules File for three-interface configuration. +# Copyright (C) 2006,2007 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -14,7 +14,7 @@ # For additional information, see http://shorewall.net/Documentation.htm#Rules # ############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the Internet diff -Naur shorewall-3.4.4/Samples/three-interfaces/shorewall.conf shorewall-3.4.5/Samples/three-interfaces/shorewall.conf --- shorewall-3.4.4/Samples/three-interfaces/shorewall.conf 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/three-interfaces/shorewall.conf 2007-07-03 13:32:01.000000000 -0700 @@ -1,6 +1,6 @@ ############################################################################### # -# Shorewall version 3.4 - Sample shorewall.conf for three-interface +# Shorewall version 4.0 - Sample shorewall.conf for three-interface # configuration. # Copyright (C) 2006 by the Shorewall Team # @@ -28,6 +28,13 @@ VERBOSITY=1 ############################################################################### +# C O M P I L E R +# (setting this to 'perl' requires installation of Shorewall-perl) +############################################################################### + +SHOREWALL_COMPILER= + +############################################################################### # L O G G I N G ############################################################################### @@ -75,6 +82,8 @@ IPSECFILE=zones +LOCKFILE= + ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### @@ -85,6 +94,13 @@ QUEUE_DEFAULT="none" ############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RSH_COMMAND='ssh ${root}@${system} ${command}' +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' + +############################################################################### # F I R E W A L L O P T I O N S ############################################################################### diff -Naur shorewall-3.4.4/Samples/three-interfaces/zones shorewall-3.4.5/Samples/three-interfaces/zones --- shorewall-3.4.4/Samples/three-interfaces/zones 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/three-interfaces/zones 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Zones File for three-interface configuration. +# Shorewall version 4.0 - Sample Zones File for three-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/Samples/two-interfaces/interfaces shorewall-3.4.5/Samples/two-interfaces/interfaces --- shorewall-3.4.4/Samples/two-interfaces/interfaces 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/two-interfaces/interfaces 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Interfaces File for two-interface configuration. +# Shorewall version 4.0 - Sample Interfaces File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -17,5 +17,5 @@ ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians -loc eth1 detect tcpflags,detectnets,nosmurfs +loc eth1 detect tcpflags,nosmurfs #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff -Naur shorewall-3.4.4/Samples/two-interfaces/masq shorewall-3.4.5/Samples/two-interfaces/masq --- shorewall-3.4.4/Samples/two-interfaces/masq 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/two-interfaces/masq 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Masq file for two-interface configuration. +# Shorewall version 4.0 - Sample Masq file for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or @@ -14,6 +14,6 @@ # For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################### -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC MARK eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff -Naur shorewall-3.4.4/Samples/two-interfaces/policy shorewall-3.4.5/Samples/two-interfaces/policy --- shorewall-3.4.4/Samples/two-interfaces/policy 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/two-interfaces/policy 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Policy File for two-interface configuration. +# Shorewall version 4.0 - Sample Policy File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/Samples/two-interfaces/routestopped shorewall-3.4.5/Samples/two-interfaces/routestopped --- shorewall-3.4.4/Samples/two-interfaces/routestopped 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/two-interfaces/routestopped 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Routestopped File for two-interface configuration. +# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/Samples/two-interfaces/rules shorewall-3.4.5/Samples/two-interfaces/rules --- shorewall-3.4.4/Samples/two-interfaces/rules 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/two-interfaces/rules 2007-07-03 13:32:01.000000000 -0700 @@ -1,6 +1,6 @@ # -# Shorewall version 3.4 - Sample Rules File for two-interface configuration. -# Copyright (C) 2006 by the Shorewall Team +# Shorewall version 4.0 - Sample Rules File for two-interface configuration. +# Copyright (C) 2006,2007 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -14,9 +14,8 @@ # For more information, see http://www.shorewall.net/Documentation.htm#Rules # ############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP -# PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the network # diff -Naur shorewall-3.4.4/Samples/two-interfaces/shorewall.conf shorewall-3.4.5/Samples/two-interfaces/shorewall.conf --- shorewall-3.4.4/Samples/two-interfaces/shorewall.conf 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/two-interfaces/shorewall.conf 2007-07-03 13:32:01.000000000 -0700 @@ -1,7 +1,7 @@ ############################################################################### # -# Shorewall version 3.4 - Sample shorewall.conf for two-interface configuration. -# Copyright (C) 2006 by the Shorewall Team +# Shorewall version 4.0 - Sample shorewall.conf for two-interface configuration. +# Copyright (C) 2006,2007 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -27,6 +27,13 @@ VERBOSITY=1 ############################################################################### +# C O M P I L E R +# (setting this to 'perl' requires installation of Shorewall-perl) +############################################################################### + +SHOREWALL_COMPILER= + +############################################################################### # L O G G I N G ############################################################################### @@ -74,6 +81,8 @@ IPSECFILE=zones +LOCKFILE= + ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### @@ -84,6 +93,13 @@ QUEUE_DEFAULT="none" ############################################################################### +# R S H / R C P C O M M A N D S +############################################################################### + +RSH_COMMAND='ssh ${root}@${system} ${command}' +RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' + +############################################################################### # F I R E W A L L O P T I O N S ############################################################################### diff -Naur shorewall-3.4.4/Samples/two-interfaces/zones shorewall-3.4.5/Samples/two-interfaces/zones --- shorewall-3.4.4/Samples/two-interfaces/zones 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/Samples/two-interfaces/zones 2007-07-03 13:32:01.000000000 -0700 @@ -1,5 +1,5 @@ # -# Shorewall version 3.4 - Sample Zones File for two-interface configuration. +# Shorewall version 4.0 - Sample Zones File for two-interface configuration. # Copyright (C) 2006 by the Shorewall Team # # This library is free software; you can redistribute it and/or diff -Naur shorewall-3.4.4/action.template shorewall-3.4.5/action.template --- shorewall-3.4.4/action.template 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/action.template 2007-06-23 08:31:09.000000000 -0700 @@ -194,7 +194,25 @@ # #removed from Netfilter in kernel # #version 2.6.14). # +# MARK[!][/][:C]# +# +# Defines a test on the existing packet or connection +# mark. The rule will match only if the test returns +# true. +# +# If you don't want to define a test but need to specify +# anything in the following columns, place a "-" in this +# field. +# +# ! - Inverts the test (not equal) +# - Value of the packet or connection mark. +# - A mask to be applied to the mark before +# testing. +# :C - Designates a connection mark. If omitted, +# the packet mark's value is tested. This +# option is only supported by Shorewall-perl +# ############################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff -Naur shorewall-3.4.4/changelog.txt shorewall-3.4.5/changelog.txt --- shorewall-3.4.4/changelog.txt 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/changelog.txt 2007-07-13 07:49:01.000000000 -0700 @@ -1,3 +1,25 @@ +Changes in 3.4.5 + +1) Add versioning to capabilities files. + +2) Improve compiler selection. + +3) Fix DYNAMIC_ZONES=Yes/BP zones. + +4) Make lib.tc work with Busybox. + +5) Don't allow 'Yes' and 'No' as values for IP_FORWARDING.\ + +6) Get iptables-restore from the same directory as iptables. + +7) Pass limited bcast on 'routeback/detectnets' interfaces. + +8) Restore the 'hits' command. + +9) Correct IPSECFILE=ipsec processing. + +10) Restore missing 'done's. + Changes in 3.4.4 1) Apply Luigi's MARK patches. diff -Naur shorewall-3.4.4/compiler shorewall-3.4.5/compiler --- shorewall-3.4.4/compiler 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/compiler 2007-07-08 19:34:15.000000000 -0700 @@ -1892,6 +1892,11 @@ done fi else + if [ -n "$natrule" -a "$addr" = detect ]; then + save_command 'done' + save_command '' + fi + if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) @@ -1910,6 +1915,11 @@ done done else + if [ -n "$natrule" -a "$addr" = detect ]; then + save_command 'done' + save_command '' + fi + if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $sports $multiport $cli $dports) @@ -1923,7 +1933,7 @@ run_iptables2 -A $chain $state $proto $multiport $cli $sports \ $dports $ratelimit $user $mrk -j $target fi - elif [ -n "$serv" -a "$addr" = detect ]; then + elif [ -n "$natrule" -a -n "$serv" -a "$addr" = detect ]; then save_command 'done' save_command '' fi @@ -4133,6 +4143,7 @@ chain1=$(rules_chain $FW $zone) chain2=$(rules_chain $zone $FW) + chain3=$(rules_chain $zone $zone) eval complex=\$${zone}_is_complex eval type=\$${zone}_type @@ -4195,7 +4206,11 @@ *.*.*.*|+*) if [ "$networks" != 0.0.0.0/0 ]; then if ! list_search $interface $need_broadcast ; then - interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface" + if interface_has_option $interface detectnets; then + need_broadcast="$need_broadcast $interface" + iface=$(chain_base $interface) + eval need_bcast_$iface=\"$(match_source_hosts $networks)\" + fi fi fi ;; @@ -4342,6 +4357,17 @@ if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then continue fi + + if [ -n "$chain3" ]; then + for interface in $need_broadcast ; do + if interface_has_option $interface routeback; then + iface=$(chain_base $interface) + eval source=\"\$need_bcast_$iface\" + run_iptables -A $(forward_chain $interface) $source $(match_dest_dev $interface) -d 255.255.255.255 -j $chain3; + run_iptables -A $(forward_chain $interface) $source $(match_dest_dev $interface) -d 224.0.0.0/4 -j $chain3; + fi + done + fi else routeback= num_ifaces=0 @@ -4409,14 +4435,14 @@ interface=${host%%:*} networks=${host#*:} - chain3=$(forward_chain $interface) + chain4=$(forward_chain $interface) for host1 in $dest_hosts; do interface1=${host1%%:*} networks1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables2 -A $chain3 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain + run_iptables2 -A $chain4 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain fi done done @@ -5691,16 +5717,8 @@ # # Start trace if first arg is "debug" # -debug='-w' - [ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } -if [ "$PROFILE" ]; then - debug='-wd:DProf' -elif [ "$DEBUG" ]; then - debug='-wd' -fi - NOLOCK= [ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; } diff -Naur shorewall-3.4.4/fallback.sh shorewall-3.4.5/fallback.sh --- shorewall-3.4.4/fallback.sh 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/fallback.sh 2007-07-13 09:32:57.000000000 -0700 @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=3.4.4 +VERSION=3.4.5 usage() # $1 = exit status { diff -Naur shorewall-3.4.4/install.sh shorewall-3.4.5/install.sh --- shorewall-3.4.4/install.sh 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/install.sh 2007-07-13 09:32:57.000000000 -0700 @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=3.4.4 +VERSION=3.4.5 usage() # $1 = exit status { @@ -369,7 +369,9 @@ # run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall/configfiles/params -if [ ! -f ${PREFIX}/etc/shorewall/params ]; then +if [ -f ${PREFIX}/etc/shorewall/params ]; then + chmod 0644 ${PREFIX}/etc/shorewall/params +else run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall/params echo "Parameter file installed as ${PREFIX}/etc/shorewall/params" fi @@ -679,16 +681,14 @@ cd manpages -rm -f *.gz - for f in *.5; do - gzip $f + gzip -c $f > $f.gz run_install -D -m 0444 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz echo "Man page $f.gz installed to /usr/share/man/man5/$f.gz" done for f in *.8; do - gzip $f + gzip -c $f > $f.gz run_install -D -m 0444 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz echo "Man page $f.gz installed to /usr/share/man/man8/$f.gz" done diff -Naur shorewall-3.4.4/lib.base shorewall-3.4.5/lib.base --- shorewall-3.4.4/lib.base 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/lib.base 2007-06-17 14:36:04.000000000 -0700 @@ -29,6 +29,7 @@ # SHOREWALL_LIBVERSION=30404 +SHOREWALL_CAPVERSION=30405 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -1068,6 +1069,8 @@ qt $IPTABLES -F fooX1234 qt $IPTABLES -X fooX1234 + + CAPVERSION=$SHOREWALL_CAPVERSION } report_capabilities() { @@ -1152,6 +1155,8 @@ report_capability1 MANGLE_FORWARD report_capability1 COMMENTS report_capability1 ADDRTYPE + + echo CAPVERSION=$SHOREWALL_CAPVERSION } # diff -Naur shorewall-3.4.4/lib.cli shorewall-3.4.5/lib.cli --- shorewall-3.4.4/lib.cli 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/lib.cli 2007-06-28 11:21:28.000000000 -0700 @@ -273,15 +273,22 @@ # Save currently running configuration # save_config() { + + local result=1 + + iptables_save=${IPTABLES}-save + + [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 + if shorewall_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" + echo " ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2 else case $RESTOREFILE in capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones) - echo " ERROR: Reserved file name: $RESTOREFILE" + echo " ERROR: Reserved file name: $RESTOREFILE" >&2 ;; *) validate_restorefile RESTOREFILE @@ -323,30 +330,33 @@ mv -f $f $RESTOREPATH chmod +x $RESTOREPATH echo " Current Ipset Contents Saved to $RESTOREPATH" + result=0 ;; [Nn][Oo]) ;; *) - echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" >&2 ;; esac else rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" + echo " ERROR: Currently-running Configuration Not Saved" >&2 fi else - echo " ERROR: ${VARDIR}/.restore does not exist" + echo " ERROR: ${VARDIR}/.restore does not exist" >&2 fi else - echo "Error Saving the Dynamic Rules" + echo "Error Saving the Dynamic Rules" >&2 fi ;; esac fi else - echo "Shorewall isn't started" + echo "Shorewall isn't started" >&2 fi + return 0 + } # @@ -372,7 +382,7 @@ # Show Command Executor # show_command() { - local finished=0 local table=filter + local finished=0 local table=filter table_given= show_macro() { foo=`grep 'This macro' $macro | sed 's/This macro //'` @@ -417,6 +427,7 @@ case $2 in mangle|nat|filter|raw) table=$2 + table_given=Yes ;; *) fatal_error "Invalid table name ($s)" @@ -532,6 +543,19 @@ echo "Default CONFIG_PATH is $CONFIG_PATH" echo "LITEDIR is $LITEDIR" ;; + chain) + shift + echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $IPTABLES -t $table -L $chain $IPT_OPTIONS + done + else + $IPTABLES -t $table -L $IPT_OPTIONS + fi + ;; *) if [ "$PRODUCT" = Shorewall ]; then case $1 in @@ -575,14 +599,24 @@ esac fi - echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)" - echo - show_reset if [ $# -gt 0 ]; then + [ -n "$table_given" ] || for chain in $*; do + if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then + echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2 + exit 1 + fi + done + + echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)" + echo + show_reset for chain in $*; do $IPTABLES -t $table -L $chain $IPT_OPTIONS done else + echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)" + echo + show_reset $IPTABLES -t $table -L $IPT_OPTIONS fi ;; diff -Naur shorewall-3.4.4/lib.config shorewall-3.4.5/lib.config --- shorewall-3.4.4/lib.config 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/lib.config 2007-07-03 07:26:05.000000000 -0700 @@ -291,6 +291,12 @@ done FW=$zone ;; + bport|bport4) + [ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type" + list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once" + merge_zone + BRIDGING=Yes + ;; *) startup_error "Invalid Zone Type: $type" ;; @@ -333,8 +339,20 @@ wildcard= case $interface in - *:*|+) - startup_error "Invalid Interface Name: $interface" + *:*) + if [ "$PROGRAM" != compiler ]; then + # + # Assume that this is 4.0 syntax for a bridge + # + local bridge=${interface%:*} + list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge" + interface=${interface#*:} + else + startup_error "Invalid Interface Name: $interface" + fi + ;; + +) + startup_error "Invalid Interface Name: +" ;; *+) wildcard=Yes @@ -486,6 +504,9 @@ if [ -s ${TMP_DIR}/ipsec ]; then progress_message "$DOING ipsec..." [ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..." + f=ipsec + else + return fi ;; esac @@ -1829,6 +1850,12 @@ [ -f $f ] && . $f || startup_error "The -e flag requires a capabilities file" fi + if [ -n "$CAPVERSION" ]; then + [ $CAPVERSION -ge $SHOREWALL_CAPVERSION ] || error_message "WARNING: $f is out of date -- it does not contain all of the capabilities defined by Shorewall version $VERSION" + else + error_message "WARNING: $f may be not contain all of the capabilities defined by Shorewall version $VERSION" + fi + ORIGINAL_POLICY_MATCH=$POLICY_MATCH ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" @@ -1841,7 +1868,7 @@ if [ -n "$IP_FORWARDING" ]; then case "$IP_FORWARDING" in - On|Off|Yes|No|Keep|on|off|yes|no|keep|ON|OFF|YES|NO|KEEP) + On|Off|Keep|on|off|keep|ON|OFF|KEEP) ;; *) startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" diff -Naur shorewall-3.4.4/lib.dynamiczones shorewall-3.4.5/lib.dynamiczones --- shorewall-3.4.4/lib.dynamiczones 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/lib.dynamiczones 2007-06-19 15:57:17.000000000 -0700 @@ -119,6 +119,13 @@ while read z type hosts; do if [ "$z" = "$zone" ]; then + case $type in + bport4:*) + rm -f ${VARDIR}/zones_$$ + startup_error "Bridge Port zones may not be dynamically modified" + ;; + esac + case "$hosts" in *exclude*) rm -f ${VARDIR}/zones_$$ diff -Naur shorewall-3.4.4/lib.tc shorewall-3.4.5/lib.tc --- shorewall-3.4.4/lib.tc 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/lib.tc 2007-06-21 06:44:44.000000000 -0700 @@ -44,7 +44,7 @@ local rateunit rate rate=$1 rateunit=$( echo $rate | sed -e 's/[0-9]*//') - rate=$( echo $rate | sed -e 's/[a-z]*//gi') + rate=$( echo $rate | sed -e 's/[a-zA-Z]*//g') case $rateunit in kbit|Kbit) diff -Naur shorewall-3.4.4/macro.template shorewall-3.4.5/macro.template --- shorewall-3.4.4/macro.template 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/macro.template 2007-06-23 08:31:09.000000000 -0700 @@ -182,7 +182,24 @@ # 2. In DNAT rules, only IP addresses are # allowed; no FQDNs or subnet addresses # are permitted. -# 3. You may not specify both an interface and +# 3. # MARK[!][/][:C]# +# +# Defines a test on the existing packet or connection +# mark. The rule will match only if the test returns +# true. +# +# If you don't want to define a test but need to specify +# anything in the following columns, place a "-" in this +# field. +# +# ! - Inverts the test (not equal) +# - Value of the packet or connection mark. +# - A mask to be applied to the mark before +# testing. +# :C - Designates a connection mark. If omitted, +# the packet mark's value is tested. This +# option is only supported by Shorewall-perl +You may not specify both an interface and # an address. # # Like in the SOURCE column, you may specify a range of @@ -300,6 +317,24 @@ # #removed from Netfilter in kernel # #version 2.6.14). # +# MARK[!][/][:C]# +# +# Defines a test on the existing packet or connection +# mark. The rule will match only if the test returns +# true. +# +# If you don't want to define a test but need to specify +# anything in the following columns, place a "-" in this +# field. +# +# ! - Inverts the test (not equal) +# - Value of the packet or connection mark. +# - A mask to be applied to the mark before +# testing. +# :C - Designates a connection mark. If omitted, +# the packet mark's value is tested. This +# option is only supported by Shorewall-perl +# # A few examples should help show how Macros work. # # /etc/shorewall/macro.FwdFTP: @@ -358,6 +393,6 @@ # # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ +#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ MARK # PORT PORT(S) LIMIT GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff -Naur shorewall-3.4.4/manpages/shorewall-accounting.5 shorewall-3.4.5/manpages/shorewall-accounting.5 --- shorewall-3.4.4/manpages/shorewall-accounting.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-accounting.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-accounting 5 "17 June 2007" +.TH shorewall-accounting 5 "15 July 2007" .SH NAME accounting \- Shorewall Accounting file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-actions.5 shorewall-3.4.5/manpages/shorewall-actions.5 --- shorewall-3.4.4/manpages/shorewall-actions.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-actions.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-actions 5 "17 June 2007" +.TH shorewall-actions 5 "15 July 2007" .SH NAME actions \- Shorewall action declaration file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-blacklist.5 shorewall-3.4.5/manpages/shorewall-blacklist.5 --- shorewall-3.4.4/manpages/shorewall-blacklist.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-blacklist.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-blacklist 5 "17 June 2007" +.TH shorewall-blacklist 5 "15 July 2007" .SH NAME blacklist \- Shorewall Blacklist file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-ecn.5 shorewall-3.4.5/manpages/shorewall-ecn.5 --- shorewall-3.4.4/manpages/shorewall-ecn.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-ecn.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-ecn 5 "17 June 2007" +.TH shorewall-ecn 5 "15 July 2007" .SH NAME ecn \- Shorewall ECN file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-exclusion.5 shorewall-3.4.5/manpages/shorewall-exclusion.5 --- shorewall-3.4.4/manpages/shorewall-exclusion.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-exclusion.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-exclusion 5 "17 June 2007" +.TH shorewall-exclusion 5 "15 July 2007" .SH NAME exclusion \- Exclude a set of hosts from a definition in a shorewall configuration file. .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-hosts.5 shorewall-3.4.5/manpages/shorewall-hosts.5 --- shorewall-3.4.4/manpages/shorewall-hosts.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-hosts.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-hosts 5 "17 June 2007" +.TH shorewall-hosts 5 "15 July 2007" .SH NAME hosts \- Shorewall file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-interfaces.5 shorewall-3.4.5/manpages/shorewall-interfaces.5 --- shorewall-3.4.4/manpages/shorewall-interfaces.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-interfaces.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-interfaces 5 "17 June 2007" +.TH shorewall-interfaces 5 "15 July 2007" .SH NAME interfaces \- Shorewall interfaces file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-maclist.5 shorewall-3.4.5/manpages/shorewall-maclist.5 --- shorewall-3.4.4/manpages/shorewall-maclist.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-maclist.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-maclist 5 "17 June 2007" +.TH shorewall-maclist 5 "15 July 2007" .SH NAME maclist \- Shorewall MAC Verification file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-masq.5 shorewall-3.4.5/manpages/shorewall-masq.5 --- shorewall-3.4.4/manpages/shorewall-masq.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-masq.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-masq 5 "17 June 2007" +.TH shorewall-masq 5 "15 July 2007" .SH NAME masq \- Shorewall Masquerade/SNAT definition file .SH SYNOPSIS @@ -132,6 +132,12 @@ If the \fBnodst:\fR option is included, then the same source address is used for a given internal system regardless of which remote system is involved. +.RS +\fBWarning\fR + +Support for the SAME target is scheduled for removal from +the Linux kernel in 2008. +.RE If you want to leave this column empty but you need to specify the next column then place a hyphen ("-") here. diff -Naur shorewall-3.4.4/manpages/shorewall-nat.5 shorewall-3.4.5/manpages/shorewall-nat.5 --- shorewall-3.4.4/manpages/shorewall-nat.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-nat.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-nat 5 "17 June 2007" +.TH shorewall-nat 5 "15 July 2007" .SH NAME nat \- Shorewall one-to-one NAT file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-nesting.5 shorewall-3.4.5/manpages/shorewall-nesting.5 --- shorewall-3.4.4/manpages/shorewall-nesting.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-nesting.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-nesting 5 "17 June 2007" +.TH shorewall-nesting 5 "15 July 2007" .SH NAME Nesting \- Shorewall Nested Zones .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-netmap.5 shorewall-3.4.5/manpages/shorewall-netmap.5 --- shorewall-3.4.4/manpages/shorewall-netmap.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-netmap.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-netmap 5 "17 June 2007" +.TH shorewall-netmap 5 "15 July 2007" .SH NAME netmap \- Shorewall NETMAP definition file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-params.5 shorewall-3.4.5/manpages/shorewall-params.5 --- shorewall-3.4.4/manpages/shorewall-params.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-params.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-params 5 "17 June 2007" +.TH shorewall-params 5 "15 July 2007" .SH NAME params \- Shorewall parameters file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-policy.5 shorewall-3.4.5/manpages/shorewall-policy.5 --- shorewall-3.4.4/manpages/shorewall-policy.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-policy.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-policy 5 "17 June 2007" +.TH shorewall-policy 5 "15 July 2007" .SH NAME policy \- Shorewall policy file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-providers.5 shorewall-3.4.5/manpages/shorewall-providers.5 --- shorewall-3.4.4/manpages/shorewall-providers.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-providers.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-providers 5 "17 June 2007" +.TH shorewall-providers 5 "15 July 2007" .SH NAME providers \- Shorewall Providers file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-proxyarp.5 shorewall-3.4.5/manpages/shorewall-proxyarp.5 --- shorewall-3.4.4/manpages/shorewall-proxyarp.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-proxyarp.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-proxyarp 5 "17 June 2007" +.TH shorewall-proxyarp 5 "15 July 2007" .SH NAME proxyarp \- Shorewall Proxy ARP file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-rfc1918.5 shorewall-3.4.5/manpages/shorewall-rfc1918.5 --- shorewall-3.4.4/manpages/shorewall-rfc1918.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-rfc1918.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-rfc1918 5 "17 June 2007" +.TH shorewall-rfc1918 5 "15 July 2007" .SH NAME rfc1918 \- Shorewall file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-route_rules.5 shorewall-3.4.5/manpages/shorewall-route_rules.5 --- shorewall-3.4.4/manpages/shorewall-route_rules.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-route_rules.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-route_rules 5 "17 June 2007" +.TH shorewall-route_rules 5 "15 July 2007" .SH NAME route_rules \- Shorewall Routing Rules file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-routestopped.5 shorewall-3.4.5/manpages/shorewall-routestopped.5 --- shorewall-3.4.4/manpages/shorewall-routestopped.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-routestopped.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-routestopped 5 "17 June 2007" +.TH shorewall-routestopped 5 "15 July 2007" .SH NAME routestopped \- The Shorewall file that governs what traffic flows through the firewall while it is in 'stopped' state. .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-rules.5 shorewall-3.4.5/manpages/shorewall-rules.5 --- shorewall-3.4.4/manpages/shorewall-rules.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-rules.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-rules 5 "17 June 2007" +.TH shorewall-rules 5 "15 July 2007" .SH NAME rules \- Shorewall rules file .SH SYNOPSIS @@ -126,6 +126,12 @@ that the port may not be remapped and when multiple server addresses are listed, all requests from a given remote system go to the same server. +.RS +\fBWarning\fR + +Support for SAME is scheduled for removal from the +Linux kernel in 2008. +.RE .TP \fBSAME-\fR Advanced users only. diff -Naur shorewall-3.4.4/manpages/shorewall-tcclasses.5 shorewall-3.4.5/manpages/shorewall-tcclasses.5 --- shorewall-3.4.4/manpages/shorewall-tcclasses.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-tcclasses.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-tcclasses 5 "17 June 2007" +.TH shorewall-tcclasses 5 "15 July 2007" .SH NAME tcclasses \- Shorewall file to define HTB classes .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-tcdevices.5 shorewall-3.4.5/manpages/shorewall-tcdevices.5 --- shorewall-3.4.4/manpages/shorewall-tcdevices.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-tcdevices.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-tcdevices 5 "17 June 2007" +.TH shorewall-tcdevices 5 "15 July 2007" .SH NAME tcdevices \- Shorewall Traffic Shaping Devices file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-tcrules.5 shorewall-3.4.5/manpages/shorewall-tcrules.5 --- shorewall-3.4.4/manpages/shorewall-tcrules.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-tcrules.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-tcrules 5 "17 June 2007" +.TH shorewall-tcrules 5 "15 July 2007" .SH NAME tcrules \- Shorewall Packet Marking rules file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-tos.5 shorewall-3.4.5/manpages/shorewall-tos.5 --- shorewall-3.4.4/manpages/shorewall-tos.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-tos.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-tos 5 "17 June 2007" +.TH shorewall-tos 5 "15 July 2007" .SH NAME tos \- Shorewall Type of Service rules file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-tunnels.5 shorewall-3.4.5/manpages/shorewall-tunnels.5 --- shorewall-3.4.4/manpages/shorewall-tunnels.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-tunnels.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-tunnels 5 "17 June 2007" +.TH shorewall-tunnels 5 "15 July 2007" .SH NAME tunnels \- Shorewall VPN definition file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall-zones.5 shorewall-3.4.5/manpages/shorewall-zones.5 --- shorewall-3.4.4/manpages/shorewall-zones.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall-zones.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-zones 5 "17 June 2007" +.TH shorewall-zones 5 "15 July 2007" .SH NAME zones \- Shorewall zone declaration file .SH SYNOPSIS diff -Naur shorewall-3.4.4/manpages/shorewall.8 shorewall-3.4.5/manpages/shorewall.8 --- shorewall-3.4.4/manpages/shorewall.8 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall.8 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall 8 "17 June 2007" +.TH shorewall 8 "15 July 2007" .SH NAME shorewall \- Administration tool for Shoreline Firewall (Shorewall) .SH SYNOPSIS @@ -23,7 +23,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBcheck\fR [\fB\-e\fR] [\fBdirectory\fR] +[\-\fBoptions\fR] \fBcheck\fR [\fB\-e\fR] [\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] 'in \n(.iu-\nxu .ad b .PP @@ -39,7 +40,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBcompile\fR [\fB\-e\fR] [\fBdirectory\fR] \fBpathname\fR +[\-\fBoptions\fR] \fBcompile\fR [\fB\-e\fR] [\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] \fBpathname\fR 'in \n(.iu-\nxu .ad b .PP @@ -71,7 +73,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBexport\fR [\fBdirectory1\fR] [\fBuser\fR@] \fBsystem\fR[ \fB:\fR \fBdirectory2\fR] +[\-\fBoptions\fR] \fBexport\fR[\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory1\fR] [\fBuser\fR@] \fBsystem\fR[ \fB:\fR \fBdirectory2\fR] 'in \n(.iu-\nxu .ad b .PP @@ -120,7 +123,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR \fBroot\-user\-name\fR] [\fBdirectory\fR] \fBsystem\fR +[\-\fBoptions\fR] \fBload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR \fBroot\-user\-name\fR] [\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] \fBsystem\fR 'in \n(.iu-\nxu .ad b .PP @@ -152,7 +156,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBrefresh\fR +[\-\fBoptions\fR] \fBrefresh\fR[\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] 'in \n(.iu-\nxu .ad b .PP @@ -168,7 +173,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBreload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR \fBroot\-user\-name\fR] [\fBdirectory\fR] \fBsystem\fR +[\-\fBoptions\fR] \fBreload\fR [\fB\-s\fR] [\fB\-c\fR] [\fB\-r\fR \fBroot\-user\-name\fR] [\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] \fBsystem\fR 'in \n(.iu-\nxu .ad b .PP @@ -176,7 +182,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBrestart\fR [\fBdirectory\fR] +[\-\fBoptions\fR] \fBrestart\fR[\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] 'in \n(.iu-\nxu .ad b .PP @@ -192,7 +199,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBsafe\-restart\fR [\fBdirectory\fR] +[\-\fBoptions\fR] \fBsafe\-restart\fR [\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] 'in \n(.iu-\nxu .ad b .PP @@ -200,7 +208,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBsafe\-start\fR [\fBdirectory\fR] +[\-\fBoptions\fR] \fBsafe\-start\fR[\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] 'in \n(.iu-\nxu .ad b .PP @@ -217,7 +226,7 @@ .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu [\-\fBoptions\fR] \fBshow\fR [\fB\-x\fR] [\fB\-t\fR -{ \fBfilter\fR| \fBmangle\fR| \fBnat\fR| \fBraw\fR}] [\fBchain\fR]\&... +{ \fBfilter\fR| \fBmangle\fR| \fBnat\fR| \fBraw\fR}] [[\fBchain\fR] \fBchain\fR \&...] 'in \n(.iu-\nxu .ad b .PP @@ -265,7 +274,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBstart\fR [\fB\-f\fR] [\fBdirectory\fR] +[\-\fBoptions\fR] \fBstart\fR [\fB\-f\fR] [\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] [\fBdirectory\fR] 'in \n(.iu-\nxu .ad b .PP @@ -289,7 +299,8 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBtry\fR \fBdirectory\fR [\fBtimeout\fR] +[\-\fBoptions\fR] \fBtry\fR[\fB\-C\fR +{ \fBshell\fR| \fBperl\fR}] \fBdirectory\fR [\fBtimeout\fR] 'in \n(.iu-\nxu .ad b .PP @@ -297,7 +308,7 @@ \fBshorewall\fR \kx .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu -[\-\fBoptions\fR] \fBversion\fR +[\-\fBoptions\fR] \fBversion\fR[\fB\-a\fR] 'in \n(.iu-\nxu .ad b .SH DESCRIPTION @@ -347,6 +358,9 @@ produced using the command \fBshorewall-lite show -f capabilities > capabilities\fR on a system with Shorewall Lite installed. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBclear\fR Clear will remove all rules and chains installed by Shorewall. @@ -366,7 +380,10 @@ of a configuration file named \fBcapabilities\fR which may be produced using the command \fBshorewall-lite show -f capabilities > capabilities\fR on a system with Shorewall Lite -installed +installed. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBdelete\fR The delete command reverses the effect of an earlier \fBadd\fR command. @@ -413,6 +430,9 @@ defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall and firewall.conf are copied to \fIsystem\fR using scp. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBforget\fR Deletes /var/lib/shorewall/\fIfilenam\fRe and @@ -470,6 +490,9 @@ If \fB\-r\fR is included, it specifies that the root user on \fIsystem\fR is named \fIroot-user-name\fR rather than "root". + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBlogdrop\fR Causes traffic from the listed \fIaddress\fRes @@ -491,6 +514,9 @@ The rules involving the the black list, ECN control rules, and traffic shaping are recreated to reflect any changes made to your configuration files. Existing connections are untouched. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBreload\fR If \fIdirectory\fR is omitted, the current @@ -526,6 +552,9 @@ If \fB\-r\fR is included, it specifies that the root user on \fIsystem\fR is named \fIroot-user-name\fR rather than "root". + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBreset\fR All the packet and byte counters in the firewall are @@ -538,6 +567,9 @@ \fIdirectory\fR is included in the command, Shorewall will look in that \fIdirectory\fR first for configuration files. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBrestore\fR Restore Shorewall to a state saved using the \fBshorewall save\fR command. Existing connections @@ -557,6 +589,9 @@ configuration is restored from the saved configuration. If a directory is given, then Shorewall will look in that directory first when opening configuration files. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBsafe-start\fR Shorewall is started normally. You will then be prompted @@ -566,6 +601,9 @@ shorewall clear is performed for you. If a directory is given, then Shorewall will look in that directory first when opening configuration files. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBsave\fR The dynamic blacklist is stored in /var/lib/shorewall/save. @@ -580,17 +618,6 @@ arguments: .RS .TP -[ \fIchain\fR ] ... -The rules in each \fIchain\fR are -displayed ssing the \fBiptables --L\fR \fIchain\fR \fB-n -v\fR command. If no -\fIchain\fR is given, all of the chains in the -filter table are displayed. The \fB-x\fR option is passed directly through to -iptables and causes actual packet and byte counts to be -displayed. Without this option, those counts are abbreviated. -The \fB-t\fR option specifies the -Netfilter table to display. The default is \fBfilter\fR. -.TP \fBactions\fR Produces a report about the available actions (built-in, standard and user-defined). @@ -600,6 +627,22 @@ \fB-f\fR option causes the display to be formatted as a capabilities file for use with \fBcompile -e\fR. .TP +[ [ \fBchain\fR ] \fIchain\fR ... ] +The rules in each \fIchain\fR are +displayed using the \fBiptables +-L\fR \fIchain\fR \fB-n -v\fR command. If no +\fIchain\fR is given, all of the chains in the +filter table are displayed. The \fB-x\fR option is passed directly through to +iptables and causes actual packet and byte counts to be +displayed. Without this option, those counts are abbreviated. +The \fB-t\fR option specifies the +Netfilter table to display. The default is \fBfilter\fR. + +If the \fBt\fR option and the +\fBchain\fR keyword both omitted and any of the +listed \fIchain\fRs do not exist, a usage +message will be displayed. +.TP \fBclassifiers\fR Displays information about the packet classifiers defined on the system as a result of traffic shaping @@ -661,6 +704,9 @@ modified more recently than the files in /etc/shorewall. When \fB-f\fR is given, a \fIdirectory\fR may not be specified. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP \fBstop\fR Stops the firewall. All existing connections, except those @@ -687,9 +733,14 @@ the \fBstart\fR/\fBrestart\fR succeeds and a \fItimeout\fR is specified then a \fBclear\fR or \fBrestore\fR is performed after \fItimeout\fR seconds. + +The \fB\-C \fRoption determines which compiler to +use. See SHOREWALL_COMPILER in shorewall.conf(5). .TP -\fBversion\fR -Displays Shorewall's version. +version +Displays Shorewall's version. If the \fB\-a\fR +option is given, the version of Shorewall-shell and/or +Shorewall-perl is/are also displayed. .SH FILES /etc/shorewall/ .SH "SEE ALSO" diff -Naur shorewall-3.4.4/manpages/shorewall.conf.5 shorewall-3.4.5/manpages/shorewall.conf.5 --- shorewall-3.4.4/manpages/shorewall.conf.5 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/manpages/shorewall.conf.5 2007-07-15 16:55:42.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall.conf 5 "17 June 2007" +.TH shorewall.conf 5 "15 July 2007" .SH NAME shorewall.conf \- Shorewall global configuration file .SH SYNOPSIS @@ -664,6 +664,15 @@ command. Regardless of the setting of SAVE_IPSETS, if saved ipset contents are available then they will be restored by \fBshorewall restore\fR. .TP +\fBSHOREWALL_COMPILER={shell|perl}\fR +Added in Shorewall 3.4.2. Specifies the compiler to be used to +compile Shorewall configurations. The default is +\fBshell\fR which causes the classic Shorewall Bourne +shell based compiler to be used. A value of \fBperl\fR +requires that Shorewall-perl is installed and indicates that the +Perl based compiler should be used. This setting may be overridden +using the -C option (shorewall(8)) +.TP \fBSHOREWALL_SHELL=\fR[\fIpathname\fR] This option is used to specify the shell program to be used to run the Shorewall compiler and to interpret the compiled script. If diff -Naur shorewall-3.4.4/releasenotes.txt shorewall-3.4.5/releasenotes.txt --- shorewall-3.4.4/releasenotes.txt 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/releasenotes.txt 2007-07-13 07:49:01.000000000 -0700 @@ -1,4 +1,4 @@ -Shorewall 3.4.4 +Shorewall 3.4.5 Release Highlights @@ -28,144 +28,74 @@ /etc/shorewall/route_rules and reverses those changes when appropriate. -Problems corrected in 3.4.4: - -1) The commands "shorewall add " and "shorewall - delete " no longer produce spurious error - messages. - -2) The command "shorewall delete " now actually deletes - entries when it successfully completes. Previously, it would appear - to remove an entry, even when removing that entry should fail. - -3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging. - -4) When run as root, the 'shorewall load' and 'shorewall reload' - commands would fail if the LOGFILE setting in - /etc/shorewall/shorewall.conf specified a non-existant file. - -5) Entries in /etc/shorewall/tcrules that specify both a source and - destination port fail with the following diagnostic: - - iptables v1.3.3: multiport can only have one option - -6) Previously, Shorewall-lite did not allow DHCP traffic through an - interface when the interface was a bridge with 'dhcp' specified - unless there was a bridge on the administrative system with the - same name. - -7) SOURCE and DEST are now flagged as invalid zone name to avoid - problems with macros that use those names as keywords. - -8) Previously, Shorewall could *increase* the MSS under some - circumstances. This possibility is now eliminated, provided that - the system has TCPMSS match support (be sure to update your - capabilities files!). - -9) Firewall zone names other than 'fw' no longer cause a error when - IPSECFILE is not set or is set to 'ipsec'. - -10) The 'proxyarp' option on an interface was previously ignored when - the /etc/shorewall/proxyarp file was empty. - -11) Previously, if action 'a' was defined then the following - rule generated an error: - - a: z1 z2 ... - - The trailing ":" is now ignored. - -12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the - generated error messages referred to the rule as a DROP rule. - -13) The 'nolock' keyword was previously ignored on several - /sbin/shorewall[-lite] commands. - -Other changes in 3.4.4: - -1) The accounting, masq, rules and tos files now have a 'MARK' column - similar to the column of the same name in the tcrules file. This - column allows filtering by MARK value. - -2) The "shorewall show zones" command now flags zone members that have - been added using "shorewall add" by preceding them with a plus sign - ("+"). - - Example: - - Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007 - - fw (firewall) - net (ipv4) - eth0:0.0.0.0/0 - loc (ipv4) - br0:0.0.0.0/0 - eth4:0.0.0.0/0 - eth5:0.0.0.0/0 - +eth1:0.0.0.0/0 - dmz (ipv4) - eth3:0.0.0.0/0 - vpn (ipv4) - tun+:0.0.0.0/0 +Problems Corrected in 3.4.5. - In the above output, "eth1:0.0.0.0/0" was dynamically added to the - 'loc' zone. As part of this change, "shorewall delete" will only - delete entries that have been added dynamically. In earlier - versions, any entry could be deleted although the ruleset was only - changed by deleting entries that had been added dynamically. - -3) Eariler generations of Shorewall Lite required that remote root - login via ssh be enabled in order to use the 'load' and 'reload' - commands. - - Beginning with this release, you may define an alternative means - for accessing the remote firewall system. - - Two new options have been added to shorewall.conf: - - RSH_COMMAND - RCP_COMMAND - - The default values for these are as follows: - - RSH_COMMAND: ssh ${root}@${system} ${command} - RCP_COMMAND: scp ${files} ${root}@${system}:${destination} - - Shell variables that will be set when the commands are envoked are - as follows: - - root - root user. Normally 'root' but may be overridden using - the '-r' option. - - system - The name/IP address of the remote firewall system. - - command - For RSH_COMMAND, the command to be executed on the - firewall system. - - files - For RCP_COMMAND, a space-separated list of files to - be copied to the remote firewall system. - - destination - The directory on the remote system that the files - are to be copied into. - -4) You may now select the compiler to use on the command line using - the '-C' option. This option is available on the following - commands: - - check - compile - export - load - reload - restart - start - try - safe-start - save-restart - - Example: - - shorewall try -C perl . +1) DYNAMIC_ZONES=Yes can now coexist with Shorewall-perl's 'bport' + zones. Those zones themselves may not be dynamically modified but + the presence of bport zones no longer causes the 'shorewall add' + command to fail. + +2) Shorewall's internal traffic shaper once again works when the 'sed' + utility is provided by the Busybox package. + +3) Version 3.4.4 erroneously accepted the values On, Off, on, off, ON + and OFF for the IP_FORWARDING option. These values were treated + like 'Keep'. The listed values are now once again flagged as an + error. + +4) If 'routeback' and 'detectnets' were specified on an interface, + limited broadcasts (to 255.255.255.255) and multicasts were dropped + when forwarded through the interface. This could cause + broadcast-based and multicast applications to fail when running + through a bridge with 'detectnets'. + +5) The 'hits' command works once again. + +6) IPSECFILE=ipsec (either explicitly or defaulted) works + now. Previously, processing of the ipsec file was bypassed; often + with a confusing "missing file" message. + +7) If DETECT_DNAT_IPADDRS=Yes in shorewall.conf but you did't have conntrack + match support, then the generated script was missing 'done's. + +Other changes in 3.4.5. + +1) When a Shorewall release includes detection of an additional + capability, existing capabilities files become out of + date. Previously, this condition was not detected. + + Beginning with this release, each generated capabilities file + contains a CAPVERSION specification which defines the capabilities + version of the file. If the CAPVERSION in a capabilities file is + less than the current CAPVERSION, then Shorewall will issue the + following message: + + WARNING: is out of date -- it does not contain all of + the capabilities defined by Shorewall version + + where + + is the name of the capabilities file. + is the current Shorewall version. + + Existing capabilities files contain no CAPVERSION. When such a file + is read, Shorewall will issue this message: + + WARNING: may be not contain all of the capabilities defined + by Shorewall version + +2) When a directory is specified in a command such as 'start' or + 'compile', Shorewall now reads the shorewall.conf file (if any) in + that directory before deciding which compiler to use. So if + SHOREWALL_COMPILER is not specified in + /etc/shorewall/shorewall.conf and the -C option was not specified + on the run-line, then if Shorewall-perl is installed, the additional + shorewall.conf file is read to see if it specifies a + SHOREWALL_COMPILER. + +3) The 'save' command now uses iptables-save from the same directory + containing iptables. Previously, iptables-save was located via the + PATH setting. Migration Considerations: @@ -943,3 +873,141 @@ Shorewall - /var/lib/shorewall/lock Shorewall Lite - /var/lib/shorewall-lite/lock +Problems corrected in 3.4.4: + +1) The commands "shorewall add " and "shorewall + delete " no longer produce spurious error + messages. + +2) The command "shorewall delete " now actually deletes + entries when it successfully completes. Previously, it would appear + to remove an entry, even when removing that entry should fail. + +3) Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging. + +4) When run as root, the 'shorewall load' and 'shorewall reload' + commands would fail if the LOGFILE setting in + /etc/shorewall/shorewall.conf specified a non-existant file. + +5) Entries in /etc/shorewall/tcrules that specify both a source and + destination port fail with the following diagnostic: + + iptables v1.3.3: multiport can only have one option + +6) Previously, Shorewall-lite did not allow DHCP traffic through an + interface when the interface was a bridge with 'dhcp' specified + unless there was a bridge on the administrative system with the + same name. + +7) SOURCE and DEST are now flagged as invalid zone name to avoid + problems with macros that use those names as keywords. + +8) Previously, Shorewall could *increase* the MSS under some + circumstances. This possibility is now eliminated, provided that + the system has TCPMSS match support (be sure to update your + capabilities files!). + +9) Firewall zone names other than 'fw' no longer cause a error when + IPSECFILE is not set or is set to 'ipsec'. + +10) The 'proxyarp' option on an interface was previously ignored when + the /etc/shorewall/proxyarp file was empty. + +11) Previously, if action 'a' was defined then the following + rule generated an error: + + a: z1 z2 ... + + The trailing ":" is now ignored. + +12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the + generated error messages referred to the rule as a DROP rule. + +13) The 'nolock' keyword was previously ignored on several + /sbin/shorewall[-lite] commands. + +Other changes in 3.4.4: + +1) The accounting, masq, rules and tos files now have a 'MARK' column + similar to the column of the same name in the tcrules file. This + column allows filtering by MARK value. + +2) The "shorewall show zones" command now flags zone members that have + been added using "shorewall add" by preceding them with a plus sign + ("+"). + + Example: + + Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007 + + fw (firewall) + net (ipv4) + eth0:0.0.0.0/0 + loc (ipv4) + br0:0.0.0.0/0 + eth4:0.0.0.0/0 + eth5:0.0.0.0/0 + +eth1:0.0.0.0/0 + dmz (ipv4) + eth3:0.0.0.0/0 + vpn (ipv4) + tun+:0.0.0.0/0 + + In the above output, "eth1:0.0.0.0/0" was dynamically added to the + 'loc' zone. As part of this change, "shorewall delete" will only + delete entries that have been added dynamically. In earlier + versions, any entry could be deleted although the ruleset was only + changed by deleting entries that had been added dynamically. + +3) Eariler generations of Shorewall Lite required that remote root + login via ssh be enabled in order to use the 'load' and 'reload' + commands. + + Beginning with this release, you may define an alternative means + for accessing the remote firewall system. + + Two new options have been added to shorewall.conf: + + RSH_COMMAND + RCP_COMMAND + + The default values for these are as follows: + + RSH_COMMAND: ssh ${root}@${system} ${command} + RCP_COMMAND: scp ${files} ${root}@${system}:${destination} + + Shell variables that will be set when the commands are envoked are + as follows: + + root - root user. Normally 'root' but may be overridden using + the '-r' option. + + system - The name/IP address of the remote firewall system. + + command - For RSH_COMMAND, the command to be executed on the + firewall system. + + files - For RCP_COMMAND, a space-separated list of files to + be copied to the remote firewall system. + + destination - The directory on the remote system that the files + are to be copied into. + +4) You may now select the compiler to use on the command line using + the '-C' option. This option is available on the following + commands: + + check + compile + export + load + reload + restart + start + try + safe-start + save-restart + + Example: + + shorewall try -C perl . diff -Naur shorewall-3.4.4/shorewall shorewall-3.4.5/shorewall --- shorewall-3.4.4/shorewall 2007-07-13 10:31:23.000000000 -0700 +++ shorewall-3.4.5/shorewall 2007-07-02 08:38:48.000000000 -0700 @@ -274,19 +274,16 @@ # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH # ensure_config_path - # - # Run the appropriate params file - # - [ -d /usr/share/shorewall-perl ] && set -a; - - run_user_exit params - set +a + compiler= + haveparams= if [ -n "$SHOREWALL_COMPILER" ]; then - compiler="$SHOREWALL_COMPILER" + compiler="$SHOREWALL_COMPILER" #Compiler specified in /etc/shorewall/shorewall.conf or on the run-line elif [ -x $sc ]; then - compiler=shell + if [ ! -x $pc ]; then + compiler=shell + fi elif [ -x $pc ]; then compiler=perl else @@ -297,22 +294,35 @@ # # Both compilers installed. Read the appropriate shorewall.conf to learn the setting of SHOREWALL_COMPILER # - config=$(find_file shorewall.conf) - - if [ -f $config ]; then - if [ -r $config ]; then - progress_message "Processing $config..." - . $config + if [ -n "$SHOREWALL_DIR" ]; then + [ -x $pc ] && set -a + run_user_exit params + set +a + haveparams=Yes + + config=$(find_file shorewall.conf) + + if [ -f $config ]; then + if [ -r $config ]; then + progress_message "Processing $config..." + . $config + else + startup_error "Cannot read $config (Hint: Are you root?)" + fi else - startup_error "Cannot read $config (Hint: Are you root?)" + startup_error "$config does not exist!" fi - else - startup_error "$config does not exist!" fi # # And initiate the appropriate compiler # - [ -n "$SHOREWALL_COMPILER" ] && compiler="$SHOREWALL_COMPILER" + if [ -n "$SHOREWALL_COMPILER" ]; then + compiler="$SHOREWALL_COMPILER" + elif [ -x $sc ]; then + compiler=shell + else + compiler=perl + fi fi [ $command = exec ] || command= @@ -332,8 +342,17 @@ options="--verbose $VERBOSE "; [ -n "$EXPORT" ] && options="$options --export "; [ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "; - [ -n "$TIMESTAMP" ] && options="$options --timestamp" ; + [ -n "$TIMESTAMP" ] && options="$options --timestamp " ; + [ -n "$debugging" ] && options="$options --debug " ; [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed" + # + # Run the appropriate params file + # + if [ -z "$haveparams" ]; then + set -a; + run_user_exit params + set +a + fi $command perl $debugflags $pc $options $@ ;; @@ -1292,7 +1311,7 @@ echo " restart [ -n ] [ -C {shell|perl} ] [ ]" echo " restore [ -n ] [ ]" echo " save [ ]" - echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones]" + echo " show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]" echo " start [ -f ] [ -n ] [ -C {shell|perl} ] [ ]" echo " stop" echo " status" @@ -1518,7 +1537,7 @@ case "$COMMAND" in start) - get_config No Yes + get_config Yes Yes shift start_command $@ ;; @@ -1529,22 +1548,22 @@ exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND ;; compile) - get_config + get_config Yes shift compile_command $@ ;; restart) - get_config No Yes + get_config Yes Yes shift restart_command $@ ;; refresh) - get_config No Yes + get_config Yes Yes shift refresh_command $@ ;; check) - get_config + get_config Yes shift check_command $@ ;; @@ -1559,12 +1578,12 @@ show_command $@ ;; load|reload) - get_config + get_config Yes shift reload_command $@ ;; export) - get_config + get_config Yes shift export_command $@ ;; @@ -1601,7 +1620,7 @@ dump_command $@ ;; hits) - get_config Yes + get_config Yes No Yes [ -n "$debugging" ] && set -x [ $# -eq 1 ] || usage 1 hits_command @@ -1611,7 +1630,7 @@ version_command $@ ;; try) - get_config + get_config Yes shift try_command $@ ;; @@ -1682,7 +1701,11 @@ save_config + result=$? + [ -n "$nolock" ] || mutex_off + + exit $result ;; forget) get_config @@ -1788,7 +1811,7 @@ usage ;; safe-restart|safe-start) - get_config + get_config Yes shift safe_commands $@ ;; diff -Naur shorewall-3.4.4/shorewall.spec shorewall-3.4.5/shorewall.spec --- shorewall-3.4.4/shorewall.spec 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/shorewall.spec 2007-07-13 09:32:57.000000000 -0700 @@ -1,5 +1,5 @@ %define name shorewall -%define version 3.4.4 +%define version 3.4.5 %define release 1 %define prefix /usr @@ -260,6 +260,8 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Fri Jul 13 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.5-1 * Fri Jun 15 2007 Tom Eastep tom@shorewall.net - Updated to 3.4.4-1 * Tue Apr 17 2007 Tom Eastep tom@shorewall.net diff -Naur shorewall-3.4.4/uninstall.sh shorewall-3.4.5/uninstall.sh --- shorewall-3.4.4/uninstall.sh 2007-07-13 10:31:22.000000000 -0700 +++ shorewall-3.4.5/uninstall.sh 2007-07-13 09:32:57.000000000 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=3.4.4 +VERSION=3.4.5 usage() # $1 = exit status { diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/fallback.sh shorewall-lite-3.4.5/fallback.sh --- shorewall-lite-3.4.4/fallback.sh 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/fallback.sh 2007-07-13 09:32:57.000000000 -0700 @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=3.4.4 +VERSION=3.4.5 usage() # $1 = exit status { diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/install.sh shorewall-lite-3.4.5/install.sh --- shorewall-lite-3.4.4/install.sh 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/install.sh 2007-07-13 09:32:57.000000000 -0700 @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=3.4.4 +VERSION=3.4.5 usage() # $1 = exit status { diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/lib.base shorewall-lite-3.4.5/lib.base --- shorewall-lite-3.4.4/lib.base 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/lib.base 2007-07-15 16:55:21.000000000 -0700 @@ -29,6 +29,7 @@ # SHOREWALL_LIBVERSION=30404 +SHOREWALL_CAPVERSION=30405 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -1068,6 +1069,8 @@ qt $IPTABLES -F fooX1234 qt $IPTABLES -X fooX1234 + + CAPVERSION=$SHOREWALL_CAPVERSION } report_capabilities() { @@ -1152,6 +1155,8 @@ report_capability1 MANGLE_FORWARD report_capability1 COMMENTS report_capability1 ADDRTYPE + + echo CAPVERSION=$SHOREWALL_CAPVERSION } # diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/lib.cli shorewall-lite-3.4.5/lib.cli --- shorewall-lite-3.4.4/lib.cli 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/lib.cli 2007-07-15 16:55:21.000000000 -0700 @@ -273,15 +273,22 @@ # Save currently running configuration # save_config() { + + local result=1 + + iptables_save=${IPTABLES}-save + + [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 + if shorewall_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then - echo " ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" + echo " ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2 else case $RESTOREFILE in capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones) - echo " ERROR: Reserved file name: $RESTOREFILE" + echo " ERROR: Reserved file name: $RESTOREFILE" >&2 ;; *) validate_restorefile RESTOREFILE @@ -323,30 +330,33 @@ mv -f $f $RESTOREPATH chmod +x $RESTOREPATH echo " Current Ipset Contents Saved to $RESTOREPATH" + result=0 ;; [Nn][Oo]) ;; *) - echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" + echo " WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved" >&2 ;; esac else rm -f ${VARDIR}/restore-$$ - echo " ERROR: Currently-running Configuration Not Saved" + echo " ERROR: Currently-running Configuration Not Saved" >&2 fi else - echo " ERROR: ${VARDIR}/.restore does not exist" + echo " ERROR: ${VARDIR}/.restore does not exist" >&2 fi else - echo "Error Saving the Dynamic Rules" + echo "Error Saving the Dynamic Rules" >&2 fi ;; esac fi else - echo "Shorewall isn't started" + echo "Shorewall isn't started" >&2 fi + return 0 + } # @@ -372,7 +382,7 @@ # Show Command Executor # show_command() { - local finished=0 local table=filter + local finished=0 local table=filter table_given= show_macro() { foo=`grep 'This macro' $macro | sed 's/This macro //'` @@ -417,6 +427,7 @@ case $2 in mangle|nat|filter|raw) table=$2 + table_given=Yes ;; *) fatal_error "Invalid table name ($s)" @@ -532,6 +543,19 @@ echo "Default CONFIG_PATH is $CONFIG_PATH" echo "LITEDIR is $LITEDIR" ;; + chain) + shift + echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $IPTABLES -t $table -L $chain $IPT_OPTIONS + done + else + $IPTABLES -t $table -L $IPT_OPTIONS + fi + ;; *) if [ "$PRODUCT" = Shorewall ]; then case $1 in @@ -575,14 +599,24 @@ esac fi - echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)" - echo - show_reset if [ $# -gt 0 ]; then + [ -n "$table_given" ] || for chain in $*; do + if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then + echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2 + exit 1 + fi + done + + echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)" + echo + show_reset for chain in $*; do $IPTABLES -t $table -L $chain $IPT_OPTIONS done else + echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)" + echo + show_reset $IPTABLES -t $table -L $IPT_OPTIONS fi ;; diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/manpages/shorewall-lite.8 shorewall-lite-3.4.5/manpages/shorewall-lite.8 --- shorewall-lite-3.4.4/manpages/shorewall-lite.8 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/manpages/shorewall-lite.8 2007-07-15 16:55:44.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-lite 8 "17 June 2007" +.TH shorewall-lite 8 "15 July 2007" .SH NAME shorewall-lite \- Administration tool for Shoreline Firewall Lite (Shorewall-lite) .SH SYNOPSIS @@ -137,7 +137,7 @@ .if (\nxu > (\n(.lu / 2)) .nr x (\n(.lu / 5) 'in \n(.iu+\nxu [\-\fBoptions\fR] \fBshow\fR [\fB\-x\fR] [\fB\-t\fR -{ \fBfilter\fR| \fBmangle\fR| \fBnat\fR| \fBraw\fR}] [\fBchain\fR]\&... +{ \fBfilter\fR| \fBmangle\fR| \fBnat\fR| \fBraw\fR}] [[\fBchain\fR] \fBchain\fR \&...] 'in \n(.iu-\nxu .ad b .PP @@ -351,21 +351,6 @@ arguments: .RS .TP -[ \fIchain\fR ] ... -The rules in each \fIchain\fR are -displayed ssing the \fBiptables --L\fR \fIchain\fR \fB-n -v\fR command. If no -\fIchain\fR is given, all of the chains in the -filter table are displayed. The \fB-x\fR option is passed directly through to -iptables and causes actual packet and byte counts to be -displayed. Without this option, those counts are -abbreviated. - -The \fB-t\fR option -designates the Netfilter table to be displayed. Without that -option, the \fBfilter\fR table is -assumed. -.TP \fBactions\fR Produces a report about the available actions (built-in, standard and user-defined). @@ -375,6 +360,22 @@ \fB-f\fR option causes the display to be formatted as a capabilities file for use with \fBcompile -e\fR. .TP +[ [ \fBchain\fR ] \fIchain\fR... ] +The rules in each \fIchain\fR are +displayed using the \fBiptables +-L\fR \fIchain\fR \fB-n -v\fR command. If no +\fIchain\fR is given, all of the chains in the +filter table are displayed. The \fB-x\fR option is passed directly through to +iptables and causes actual packet and byte counts to be +displayed. Without this option, those counts are abbreviated. +The \fB-t\fR option specifies the +Netfilter table to display. The default is \fBfilter\fR. + +If the \fBt\fR option and the +\fBchain\fR keyword both omitted and any of the +listed \fIchain\fRs do not exist, a usage +message is displayed. +.TP \fBclassifiers\fR Displays information about the packet classifiers defined on the system as a result of traffic shaping diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/manpages/shorewall-lite.conf.5 shorewall-lite-3.4.5/manpages/shorewall-lite.conf.5 --- shorewall-lite-3.4.4/manpages/shorewall-lite.conf.5 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/manpages/shorewall-lite.conf.5 2007-07-15 16:55:44.000000000 -0700 @@ -1,5 +1,5 @@ .\" -*- coding: us-ascii -*- -.TH shorewall-lite.conf 5 "17 June 2007" +.TH shorewall-lite.conf 5 "15 July 2007" .SH NAME shorewall-lite.conf \- Shorewall Lite global configuration file .SH SYNOPSIS diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/shorewall-lite.spec shorewall-lite-3.4.5/shorewall-lite.spec --- shorewall-lite-3.4.4/shorewall-lite.spec 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/shorewall-lite.spec 2007-07-13 09:32:57.000000000 -0700 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 3.4.4 +%define version 3.4.5 %define release 1 %define prefix /usr @@ -99,6 +99,8 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Fri Jul 13 2007 Tom Eastep tom@shorewall.net +- Updated to 3.4.5-1 * Fri Jun 15 2007 Tom Eastep tom@shorewall.net - Updated to 3.4.4-1 * Tue Apr 17 2007 Tom Eastep tom@shorewall.net diff -Naur -X /home/webadmin/shorewall/trunk/tools/build/exclude.txt shorewall-lite-3.4.4/uninstall.sh shorewall-lite-3.4.5/uninstall.sh --- shorewall-lite-3.4.4/uninstall.sh 2007-07-13 10:31:30.000000000 -0700 +++ shorewall-lite-3.4.5/uninstall.sh 2007-07-13 09:32:57.000000000 -0700 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=3.4.4 +VERSION=3.4.5 usage() # $1 = exit status {